Mirket MFA Agent for Redhat

Mirket OS Agent enables Multi-Factor Authentication (MFA) for:

• SSH access

• Privilege elevation (sudo/su)

Authentication can be performed via Mirket Push, or by entering a Passcode (TOTP, Mirket token, Offline code, or Recovery code).

📥 1. Download the Agent

wget https://mirketosagentubuntu.s3.eu-west-2.amazonaws.com/LinuxOSAgent.tar.gz

⚙️ 2. Install the Agent

Make the installation scripts executable:

tar -xzvf LinuxOSAgent.tar.gz
cd LinuxOSAgent/
sudo chmod +x ./redhat_install_mirket.sh
sudo chmod +x ./redhat_passwordless_mirket.sh 
sudo chmod +x ./redhat_uninstall_mirket.sh 

First, check the server time:

date

If the time is not correct, verify that systemd-timesyncd is active:

If the service is not running, enable and start it:

This will ensure the system clock is updated automatically.

Once the time is correct, proceed with the installation script.

Run the installer with elevated privileges:

🔑 3. Offline Code Setup

During installation, you'll be prompted to generate and verify an Offline Code:

• A QR code and a secret key (Base32) will be shown.

• Enter the corresponding Offline Code to verify.

• This code will be used if the device is offline.

Example:

🌐 4. Enter Admin URL and API Key

When prompted:

• Enter your Mirket admin URL (default is: https://admin.mirketsecurity.com)

• Paste the API Key generated from the Mirket Admin Portal.

🙋‍♂️ 5. Configure Bypass Users (Optional)

During setup, you can define users who can bypass MFA (e.g., for emergency or monitoring accounts).

Example input:

🔐 6. Authentication Test

SSH Login

• 1 triggers a Mirket Push notificati

• on to your mobile device.

• You can also enter a passcode manually.

• On Red Hat, authentication first checks MFA, and only then verifies the password.

Sudo/Privilege Elevation

• On Red Hat privilege elevation, authentication first checks MFA, and only then verifies the password.

Supported Passcode Types:

• Mirket token

• TOTP (Time-based One-Time Password)

• Offline code

• Recovery code

🧹 7. Uninstalling the Agent

To remove the Mirket OS Agent completely:

This will:

• Remove all related binaries

• Clean PAM configurations

• Restore SSH settings

🚀 Enabling Passwordless MFA with Mirket PAM Module

This guide explains how to configure SSH login and privileged commands (sudo) to enforce passwordless Multi-Factor Authentication (MFA) using the pam_mirket_authenticator.so module. By adjusting the PAM configuration only—without modifying the sshd_config file—you achieve a secure and streamlined authentication flow.

🎯 Objective

To enforce Mirket MFA as the sole authentication method for:

• SSH login

• sudo and other PAM-based elevated actions

while fully disabling traditional password or public key authentication.

Configuring Passwordless SSH Authentication on Red Hat

To disable password-based authentication and enable passwordless SSH login:

1. Open the SSH PAM configuration file:

2. Locate the following line and disable it by commenting it out:

3. Restart the SSH service to apply the changes:

Re-enabling Password Authentication on SSH

To restore password-based authentication:

1. Open the same SSH PAM configuration file:

2. Enable the line by uncommenting it:

3. Restart the SSH service again:

Enabling Passwordless sudo on Red Hat

To enable passwordless sudo authentication on Red Hat systems:

1. Run the following command:

2. The script will:

   • Check for any existing custom authentication profiles.

   • Create a new custom profile named passwordless-mirket based on the sssd profile.

   • Activate the new profile automatically.

   Example output:

✅ Note: Ensure that the SSSD service is properly configured and enabled before applying this change.

Reverting to OTP + Password for sudo

If you want to revert and require both OTP and password for sudo authentication, run:

This will restore the configuration that enforces OTP + password for elevated access.

Reverting to Password-only sudo Authentication

If you prefer to use password-only sudo authentication:

✅ Summary: