diff --git a/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.mdx b/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.mdx index f913fe052a..e56792c296 100644 --- a/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.mdx +++ b/website/docs/endpoint-devices/authentik-agent/agent-deployment/linux.mdx @@ -57,7 +57,13 @@ sudo apt update sudo apt install authentik-cli authentik-agent authentik-sysd ``` -4. Confirm that the authentik Agent is installed by opening a terminal window and entering the following command: `ak` +4. _(optional)_ If you plan to enable [SSH server authentication and local device login](#enable-device-compliance-ssh-server-authentication-and-local-device-login), you will need to install two additional packages: + +```sh +sudo apt install libnss-authentik libpam-authentik +``` + +5. Confirm that the authentik Agent is installed by opening a terminal window and entering the following command: `ak` You should see a response that starts with: `authentik CLI v` @@ -93,7 +99,13 @@ EOF sudo yum install -y authentik-cli authentik-agent authentik-sysd ``` -3. Confirm that the authentik Agent is installed by opening a terminal window and entering the following command: `ak` +3. _(optional)_ If you plan to enable [SSH server authentication and local device login](#enable-device-compliance-ssh-server-authentication-and-local-device-login), you will need to install two additional packages: + +```sh +sudo yum install -y libnss-authentik libpam-authentik +``` + +4. Confirm that the authentik Agent is installed by opening a terminal window and entering the following command: `ak` You should see a response that starts with: `authentik CLI v` @@ -125,13 +137,13 @@ sudo ak-sysd domains join --authentik-url https://authentik.co 2. You will be prompted to enter your [enrollment token](#create-an-enrollment-token). 3. Once provided, the device will be enrolled with your authentik deployment and should appear on the [Devices page](../../manage-devices.mdx) after a [check-in](../../device-compliance/device-reporting.md) is completed. -### Local device login on non-Debian systems +### Configure device login on non-Debian systems On non-Debian Linux distributions, you currently need to manually configure NSS and PAM: -1. Edit `etc/nsswitch.conf` to include `authentik` for `passwd`, `group`, and `shadow`: +1. Edit `/etc/nsswitch.conf` to include `authentik` for `passwd`, `group`, and `shadow`: -```bash title="etc/nsswitch.conf" +```bash title="/etc/nsswitch.conf" ... passwd: files systemd authentik group: files systemd authentik @@ -140,15 +152,15 @@ gshadow: files systemd ... ``` -2. Edit the following two files in the `etc/pam.d/` directory. The order matters, both of these lines should be located above `pam_unix` in the respective files. +2. Edit the following two files in the `/etc/pam.d/` directory. The order matters, both of these lines should be located above `pam_unix` in the respective files. -```bash title="etc/pam.d/common-auth" +```bash title="/etc/pam.d/common-auth" ... auth [success=2 default=ignore] pam_authentik.so ... ``` -```bash title="etc/pam.d/common-session" +```bash title="/etc/pam.d/common-session" ... session required pam_authentik.so ... @@ -176,7 +188,7 @@ ak version ## Logging -authentik Agent logs are available via the system journal (`systemd`) or `syslog`, depending on the distribution. +authentik Agent logs are available via the systemd journal (`journalctl`) or `syslog`, depending on the distribution. ## Reporting issues diff --git a/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md b/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md index 1039af9342..be4547878a 100644 --- a/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md +++ b/website/docs/endpoint-devices/authentik-agent/device-authentication/local-device-login/linux.md @@ -29,4 +29,4 @@ When configured correctly, when logging in you should see a prompt for **authent ## Known issues - Only Webauthn MFA is supported. -- On non-Debian Linux distributions, you currently need to [manually configure NSS and PAM](../../agent-deployment/linux.mdx#local-device-login-on-non-debian-systems). +- On non-Debian Linux distributions, you currently need to [manually configure NSS and PAM](../../agent-deployment/linux.mdx#configure-device-login-on-non-debian-systems).