Mirket MFA Agent for Ubuntu

Mirket OS Agent enables Multi-Factor Authentication (MFA) for:

  • SSH access

  • Privilege elevation (sudo/su)

  • Local Ubuntu login

Authentication can be performed via Mirket Push, or by entering a Passcode (TOTP, Mirket token, Offline code, or Recovery code).

📥 1. Download the Agent

wget https://mirketosagentubuntu.s3.eu-west-2.amazonaws.com/UbuntuOSAgent.tar.gz

⚙️ 2. Install the Agent

Make the installation scripts executable:

tar -xzvf UbuntuOSAgent.tar.gz
cd UbuntuOSAgent/
sudo chmod +x ./ubuntu_install_mirket.sh
sudo chmod +x ./uninstall_mirket.sh

First, check the server time:

date

If the time is not correct, verify that systemd-timesyncd is active:

sudo systemctl status systemd-timesyncd

If the service is not running, enable and start it:

sudo systemctl enable systemd-timesyncd
sudo systemctl start systemd-timesyncd

Then, force a time synchronization:

sudo timedatectl set-ntp true
sudo timedatectl status

This will ensure the system clock is updated automatically.

Once the time is correct, proceed with the installation script.

Run the installer with elevated privileges:

sudo ./install_mirket.sh

🔑 3. Offline Code Setup

During installation, you'll be prompted to generate and verify an Offline Code:

  • A QR code and a secret key (Base32) will be shown.

  • Enter the corresponding Offline Code to verify.

  • This code will be used if the device is offline.

Example:

🌐 4. Enter Admin URL and API Key

When prompted:

  • Enter your Mirket admin URL (default is: https://admin.mirketsecurity.com)

  • Paste the API Key generated from the Mirket Admin Portal.

🙋‍♂️ 5. Configure Bypass Users (Optional)

During setup, you can define users who can bypass MFA (e.g., for emergency or monitoring accounts).

Example input:

pgsqlKopyalaDüzenlePlease enter a username to add as a bypass user (type -1 to finish): mirket
Please enter a username to add as a bypass user (type -1 to finish): -1

🔐 6. Authentication Test

SSH Login

login as: oliver
Keyboard-interactive authentication prompts from server:
| Password:
| Enter Passcode Or 1 For Push: 1
End of keyboard-interactive prompts from server

  • 1 triggers a Mirket Push notification to your mobile device.

  • You can also enter a passcode manually.

Sudo/Privilege Elevation

$ sudo su
[sudo] password for oliver:
Enter Passcode Or 1 For Push: 453452

Supported Passcode Types:

  • Mirket token

  • TOTP (Time-based One-Time Password)

  • Offline code

  • Recovery code

Ubuntu Desktop Login

  • User enters their system password as usual.

  • If password is correct, an MFA prompt appears:

    • Enter Passcode Or 1 For Push

🧹 7. Uninstalling the Agent

To remove the Mirket OS Agent completely:

bashKopyalaDüzenlecd ~/UbuntuAgent/
sudo ./uninstall_mirket.sh

This will:

  • Remove all related binaries

  • Clean PAM configurations

  • Restore SSH settings

🚀 Enabling Passwordless MFA with Mirket PAM Module

This guide explains how to configure SSH login and privileged commands (sudo) to enforce passwordless Multi-Factor Authentication (MFA) using the pam_mirket_authenticator.so module. By adjusting the PAM configuration only—without modifying the sshd_config file—you achieve a secure and streamlined authentication flow.

🎯 Objective

To enforce Mirket MFA as the sole authentication method for:

  • SSH login

  • sudo and other PAM-based elevated actions

  • Ubuntu desktop login

while fully disabling traditional password or public key authentication.

Open the common-auth PAM configuration file:

sudo nano /etc/pam.d/common-auth

Comment out the default authentication modules by placing # at the beginning of the following lines:

# auth   [success=1 default=ignore]      pam_unix.so nullok
# auth   requisite                       pam_deny.so
# auth   required                        pam_permit.so
# auth   optional                        pam_cap.so

Then add or ensure the Mirket MFA module is the only active authentication rule:

auth required /lib/x86_64-linux-gnu/security/pam_mirket_authenticator.so nullok

📌 This ensures that PAM no longer checks the system password, and only relies on Mirket’s authenticator.

✅ Post-Installation Notes

  • PAM configuration updated: auth required /lib/x86_64-linux-gnu/security/pam_mirket_authenticator.so nullok

  • SSH setting KbdInteractiveAuthentication is enabled

  • Mirket Agent supports interactive MFA prompts across terminal and GUI login (Ubuntu Login Screen)

PreviousWindows OS Logon AgentNextMirket MFA Agent for SUSE

Last updated