Skip to content
English
Sign in
Customer Portal
  • There are no suggestions because the search field is empty.

SurePassID Linux PAM: Overview and Capabilities

The SurePassID Linux PAM module adds multi-factor authentication (MFA) to Linux servers and workstations. It integrates with the standard Linux Pluggable Authentication Module (PAM) stack and validates each login against the SurePassID MFA server.

What it protects

The module can secure these Linux entry points:

  • SSH remote access
  • sudo privilege escalation
  • su and console login
  • Graphical desktop sessions and screensaver unlock (GDM, LightDM, SDDM, and others wired up at install time)

Authentication methods

  • One-time passcodes (OTP) from hardware or software tokens (TOTP/HOTP)
  • OTP delivered by SMS, email, or voice call
  • Mobile push authentication, including push with FIDO
  • SMS and voice push confirmation
  • Offline codes (cached HOTP) for when the MFA server is unreachable

The operating system authenticates the user's credentials, and SurePassID adds secure authentication on top. Depending on your configuration, SurePassID can run as first-factor only, second-factor only, or both (1FA, 2FA, 1FA+2FA). A configurable bypass group lets designated accounts skip the SurePassID step.

Supported platforms

Supported on both x86_64 (amd64) and aarch64 (arm64):

  • Debian 13 (Trixie), 12 (Bookworm), 11 (Bullseye)
  • Ubuntu 26.04, 24.04, 22.04, 20.04 LTS
  • Red Hat Enterprise Linux 10, 9, 8
  • Rocky Linux 10, 9, 8
  • Oracle Linux 10, 9, 8
  • CentOS Stream 10, 9

Related distributions (such as AlmaLinux or Linux Mint) may install via ID_LIKE detection but are outside the actively tested matrix.

Deployment options

  • Install the signed RPM or DEB from a downloaded tarball https://downloads.surepassid.com/PAM/
  • Add the signed SurePassID package repository and install with dnf or apt
  • Deploy offline from a self-contained air-gapped repository mirror
  • Automate rollout with the surepassid.linux_pam Ansible collection

Requirements

  • A SurePassID MFA Server account and an application key from the SurePassID Administration Portal
  • Network access to the SurePassID MFA server (direct or via proxy), or offline codes for disconnected use
  • OpenSSL and Jansson libraries (installed automatically by the package manager; pre-staged for air-gapped installs)

Frequently asked questions

Which logins can SurePassID protect?

SSH, sudo, su, console login, and graphical desktop sessions.

Does it work without internet access on the host?

Yes — offline codes allow authentication when the server is unreachable, and an air-gapped mirror supports offline installation.

Can some accounts skip MFA?

Yes — a configurable bypass group exempts designated service or break-glass accounts.

How is it deployed at scale?

Use the surepassid.linux_pam Ansible collection.

Where can I see what changed between releases?

See the release notes at https://downloads.surepassid.com/PAM/linux/CHANGELOG.md.

Need help?

Contact SurePassID support at helpdesk@surepassid.com.