Mirket MFA Agent for SUSE

Mirket OS Agent enables Multi-Factor Authentication (MFA) for:

  • SSH access

  • Privilege elevation (sudo/su)

  • Local Suse login

Authentication can be performed via Mirket Push, or by entering a Passcode (TOTP, Mirket token, Offline code, or Recovery code).

📥 1. Download the Agent

wget https://mirketosagentubuntu.s3.eu-west-2.amazonaws.com/LinuxOSAgent.tar.gz

⚙️ 2. Install the Agent

Make the installation scripts executable:

tar -xzvf LinuxOSAgent.tar.gz
cd LinuxOSAgent/
sudo chmod +x ./suse_install_mirket.sh
sudo chmod +x ./uninstall_mirket.sh

Before installing the Mirket MFA Agent, it is critical that the server time is accurate. Both the offline code and the recovery code mechanisms depend on the system clock. If the server time is incorrect, these features will not function properly.

First, check the server time:

date

If the time is not correct, verify the chronyd service:

sudo systemctl status chronyd

If the service is not running, execute the following commands:

sudo systemctl enable chronyd
sudo systemctl start chronyd
sudo chronyc makestep

Afterwards, re-check the time with date.

Once the server time is correct, proceed with running the installation script.

Run the installer with elevated privileges:

sudo ./suse_install_mirket.sh

🔑 3. Offline Code Setup

During installation, you'll be prompted to generate and verify an Offline Code:

  • A QR code and a secret key (Base32) will be shown.

  • Enter the corresponding Offline Code to verify.

  • This code will be used if the device is offline.

Example:

🌐 4. Enter Admin URL and API Key

When prompted:

  • Enter your Mirket admin URL (default is: https://admin.mirketsecurity.com)

  • Paste the API Key generated from the Mirket Admin Portal.

🙋‍♂️ 5. Configure Bypass Users (Optional)

During setup, you can define users who can bypass MFA (e.g., for emergency or monitoring accounts).

Example input:

Please enter a username to add as a bypass user (type -1 to finish): mirket
Please enter a username to add as a bypass user (type -1 to finish): -1

🔐 6. Authentication Test

SSH Login

login as: oliver
Keyboard-interactive authentication prompts from server:
| Password:
| Enter Passcode Or 1 For Push: 1
End of keyboard-interactive prompts from server

  • 1 triggers a Mirket Push notification to your mobile device.

  • You can also enter a passcode manually.

Sudo/Privilege Elevation

$ sudo su
[sudo] password for oliver:
Enter Passcode Or 1 For Push: 453452

Supported Passcode Types:

  • Mirket token

  • TOTP (Time-based One-Time Password)

  • Offline code

  • Recovery code

🧹 7. Uninstalling the Agent

To remove the Mirket OS Agent completely:cd LinuxOSAgent/

cd LinuxOSAgent/
sudo ./uninstall_mirket.sh

This will:

  • Remove all related binaries

  • Clean PAM configurations

  • Restore SSH settings

🚀 Enabling Passwordless MFA with Mirket PAM Module

This guide explains how to configure SSH login and privileged commands (sudo) to enforce passwordless Multi-Factor Authentication (MFA) using the pam_mirket_authenticator.so module. By adjusting the PAM configuration only—without modifying the sshd_config file—you achieve a secure and streamlined authentication flow.

🎯 Objective

To enforce Mirket MFA as the sole authentication method for:

  • SSH login

  • sudo and other PAM-based elevated actions

while fully disabling traditional password or public key authentication.

Open the common-auth PAM configuration file:

sudo nano /etc/pam.d/common-auth

Comment out the default authentication modules by placing # at the beginning of the following lines:

# auth   [success=1 default=ignore]      pam_unix.so nullok
# auth   requisite                       pam_deny.so
# auth   required                        pam_permit.so
# auth   optional                        pam_cap.so

Then add or ensure the Mirket MFA module is the only active authentication rule:

auth required /lib/x86_64-linux-gnu/security/pam_mirket_authenticator.so nullok

📌 This ensures that PAM no longer checks the system password, and only relies on Mirket’s authenticator.

✅ Post-Installation Notes

  • PAM configuration updated: auth required /lib/x86_64-linux-gnu/security/pam_mirket_authenticator.so nullok

  • SSH setting KbdInteractiveAuthentication is enabled

  • Mirket Agent supports interactive MFA prompts across terminal and GUI login (Ubuntu Login Screen)

PreviousMirket MFA Agent for DebianNextApplications

Last updated