1Kosmos integrates with Linux via the 1Kosmos PAM module, adding biometric MFA to SSH logins, Linux desktop authentication, and shared workstation access.
Integration type
OS
Overview
1Kosmos integrates with Linux via the 1Kosmos PAM, adding multifactor authentication to SSH logins, desktop sessions, and shared workstations. Supported methods include push notifications, TOTP, email OTP, and SMS OTP. Administrators configure policies by user, group, IP range, or time using Adaptive Auth Journeys in AdminX.
What we solve
Organizations managing Linux servers and shared workstations need to protect SSH and local login access from stolen passwords and unauthorized privileged access, and enforce MFA policies by user, group, network, or time. This integration adds 1Kosmos MFA via the Linux PAM module so SSH/console logins require biometric push or OTP-based verification before access is granted.
The PAM module is installed as a package on the Linux host and configured through the /etc/pam.d/ PAM configuration files. After installation, the module connects the Linux host to the 1Kosmos tenant, and all SSH login attempts trigger an authentication challenge through 1Kosmos.
The user authenticates using the 1Kosmos mobile app or an OTP, and access is granted or denied based on the configured authentication journey.
Prerequisites
Active 1Kosmos tenant: Administrator access to the AdminX portal. Contact 1kosmos.com/contact if not yet provisioned.
Linux host access: Root or sudo access to the Linux system where the PAM module will be installed. Supported distributions include Ubuntu, RHEL/CentOS, Debian, and other major distributions.
1Kosmos PAM package: Obtain the 1Kosmos Linux PAM package from the 1Kosmos customer portal or your 1Kosmos representative.
User accounts in 1Kosmos: Users who will authenticate via the PAM module must have accounts in the 1Kosmos directory connected to your tenant. The PAM module can only authenticate accounts in user directories connected to the 1Kosmos tenant.
1Kosmos mobile app installed: Users must have the app on iOS or Android enrolled before SSH login testing.
Configuration values
Values to collect from 1Kosmos AdminX for PAM configuration:
Field | Where to find it |
|---|---|
API Key | AdminX → Applications → Linux PAM → configuration screen |
Tenant URL | Your 1Kosmos AdminX portal URL (e.g., https://tenant.1kosmos.net) |
Community ID | AdminX → Settings → Community settings |
Integration steps
Step 1: Install prerequisite packages
Connect to the Linux host via SSH with root or sudo access.
Install prerequisite packages for your distribution. On Ubuntu/Debian:
sudo apt-get install libpam-runtime libssl-dev. On RHEL/CentOS:sudo yum install pam-devel openssl-devel.
Step 2: Install the 1Kosmos Linux PAM package
Download the 1Kosmos Linux PAM package from your 1Kosmos customer portal.
Install the package using your distribution's package manager (e.g.,
sudo dpkg -i blockid-pam.deborsudo rpm -ivh blockid-pam.rpm).
Step 3: Configure the PAM module
Run the 1Kosmos PAM setup script and provide the required configuration values when prompted: API Key, Tenant URL, and Community ID. These values are found in the AdminX portal under Applications → Linux PAM.
The setup script updates the PAM configuration files in
/etc/pam.d/to include the 1Kosmos PAM module in the SSH authentication chain.
Step 4: Configure authentication methods in AdminX
Log in to the AdminX portal and navigate to Applications → Linux PAM.
Select the authentication methods to enable: Push Notification, TOTP, OTP via Email, OTP via SMS, or Password. Enabling multiple methods lets users choose their preferred factor during login.
Optionally, configure Adaptive Auth Journeys to apply different authentication requirements based on conditions (e.g., require push notification for users outside the corporate network).
Step 5: Test SSH authentication
Open an SSH session to the Linux host. After entering the username and password (first factor), you will be prompted to select an authentication method.
Select option 1 (Push Notification) or an OTP option. Approve the authentication request in the 1Kosmos mobile app or enter the OTP.
Confirm access is granted to the Linux host after successful MFA.
Integration notes
The 1Kosmos Linux PAM is designed for SSH and console-based login MFA. It supports both online and offline authentication modes, ensuring users can authenticate even when network connectivity is limited, depending on the configured methods.
For shared workstation environments, the 1Kosmos 1Key hardware biometric device provides a FIDO2-based authentication option that allows multiple users to authenticate using fingerprint scanning on a shared endpoint without individual mobile devices.
Logs for 1Kosmos PAM authentication events are written to /var/log/blockId/blockId.log for troubleshooting.
