Authentication
4 min
kron pam epm agent also supervises authentication processes every successful or failed authentication attempt made to a server with the agent installed is captured and logged these logs are available for auditing on the authentication log page within kron pam · ad bridging through the ad bridging feature, kron pam allows its own users to log in to an agent installed server with basic privileges, even if those users do not exist locally on that server · realm check if the user attempting to log in is a kron pam user, the agent verifies the realm check setting via the agent group o disabled the agent does not check for a realm relationship between the user and the server o enabled a realm must exist for the login to proceed configuring two factor authentication (2fa/otp) to require a second factor for user verification, follow these two steps (similar to other proxies) if the agent and kron pam is communicating, this means that agent is online hence otp will be verified by kron pam 1 enable otp for the user group navigate to administration > multi factor authentication > user group management and enable otp for the relevant group 2 linux agent configuration set the following parameter to true in sys config man sc linux agent connection otp enabled = true once these steps are completed, any pam user attempting to log in to a server with the linux agent installed will be prompted for an otp end users can obtain their otp via the kron pam web interface or the kron pam mobile application for more detailed information, please refer to the relevant section of the reference guide the kron pam epm agent supports login capabilities for kron pam users even when there is no communication between the agent and the server—meaning the agent is in offline mode offline authentication and authorization (aa) to enable this functionality 1 the offline aa toggle button must be enabled on the agent group 2 the end user must log in to the endpoint at least once while the agent is online to receive this policy once these steps are completed, the user can continue to log in even if the connection to kron pam is lost this access is valid for the duration (in days) specified in the configuration parameters when enabling the feature security and logging in offline mode · otp verification if otp is required, the agent performs the verification locally during the offline period · audit logs authentication logs are stored locally by the agent while it is offline as soon as the agent regains its connection to kron pam, all cached logs are automatically forwarded to the system for auditing managerial approval workflow for sudo commands sudo is a utility used to execute commands with root privileges in this architecture, when a command is executed with sudo, the agent does not run the command immediately instead, by default, it requires managerial approval 1\ the request process once a command is initiated, the end user is prompted to specify the duration for which they need this elevated privilege following this, an approval request is automatically routed to the user’s manager additionally, the manager receives an email notification informing them that a command execution request has been initiated 2\ integration with kron pam the agent leverages the kron pam (privileged access management) managerial approval infrastructure to handle this workflow the manager has the authority to either approve or reject the request based on the provided context 3\ execution and feedback the result of the manager's decision is sent back to the end user as a prompt · if approved the user can then re run the same command and will successfully receive the output this time · if rejected the command remains unauthorized 4\ expiration and re elevation the elevated privilege is temporary once the duration specified by the user expires, the elevation cycle resets any further high privilege commands will once again require the managerial approval process to begin from the start all these executions on endpoint will be logged to kron pam in session log and command logs