Offline Authorization (Elevation)
1 min
even when there is no communication between the agent and kron pam—meaning the agent is operating in offline mode —command elevation via otp is still possible if the offline aa (authentication and authorization) feature is enabled how offline otp elevation works · prerequisite the offline aa policy must be enabled on the agent group level · initial sync after the policy is enabled, the user must perform at least one successful login while the agent is still online · key storage during this initial login, the agent securely retrieves the otp generating key from kron pam and stores it locally · encryption this key is kept in the agent's local database in an encrypted format to ensure security · local verification once the agent goes offline, if a user attempts to execute a command that requires elevation via otp, the agent uses the stored encrypted key to verify the otp locally since it has the necessary algorithm and key, it does not need to reach kron pam to authorize the elevation