Rublon

Secure Remote Access

By

Last updated on August 19, 2025

Overview of MFA for Veritas NetBackup

Rublon integrates with Veritas NetBackup to add Multi-Factor Authentication (MFA) to every remote or local SSH login using a PAM module. All required steps will be described in this document.

Supported Systems

  • Debian (11, 12)
  • Ubuntu (18.04, 20.04, 22.04, 24.04)
  • Red Hat / CentOS / Alma / Rocky (8, 9)
  • openSUSE Leap / SUSE Linux Enterprise Server 15 SP3

Supported Authentication Methods

Authentication Method Supported Comments
Mobile Push N/A
WebAuthn/U2F Security Key N/A
Passcode N/A
SMS Passcode N/A
SMS Link N/A
Phone Call N/A
QR Code N/A
Email Link N/A
YubiKey OTP Security Key N/A

Known Limitations

  • If a user has enrolled multiple Phones, only the MFA methods available for the Phone that was selected as default are displayed in the SSH connector. There is no option to switch to another Phone.
  • After enrolling a Phone Number for SMS authentication or enrolling the Rublon Authenticator app, the system prioritizes one of these authenticators over the other. In certain circumstances, the authentication methods associated with the former authenticator may become unavailable in the SSH interface.

Before you start

Create an Application in the Rublon Admin Console

1. Sign up for the Rublon Admin Console. Here’s how.

2. In the Rublon Admin Console, go to the Applications tab and click Add Application

3. Enter a name for your application (e.g., Veritas NetBackup) and then set the type to Linux SSH.

4. Click Save to add the new application in the Rublon Admin Console.

5. Copy and save the values of the System Token and Secret Key. You are going to need these values later.

Install Rublon Authenticator

Some end-users may install the Rublon Authenticator mobile app. So, as a person configuring MFA for Veritas NetBackup, we highly recommend you install the Rublon Authenticator mobile app, too. Thanks to that, you will be able to test MFA for Veritas NetBackup via Mobile Push.

Download the Rublon Authenticator for:

Installation & Configuration of MFA for Veritas NetBackup

RHEL/ALMA/Rocky

1. Download and install our standard SSH module (sudo yum -y install rublon.rpm).

2. Configure the module in /etc/rublon.config (nano /etc/rublon.config):

  • Paste the values of the System Token and Secret Key from the application with the type Linux SSH added in the Applications tab of the Rublon Admin Console that you have copied before.
  • In the /etc/rublon.config file, set nonInteractiveMode to “true”.
  • Adjust other options according to your preferences or leave the default values. Refer to Updating the Configuration File for more information about each option.

3. Your configuration is now complete. You can log in to Veritas NetBackup with Rublon MFA.

Manual Installation (Other Linux Systems)

If you are facing issues with your RHEL/ALMA/Rocky installation or using a different Linux distribution, complete the following manual installation steps.

1. Download and install our standard SSH module:

Ubuntu & Debian:

For Ubuntu (20.04, 22.04, 24.04) and Debian (11, 12), use:

sudo dpkg -i <package_name>

RHEL, AlmaLinux, Rocky Linux & CentOS:

Use the following installation command:

sudo yum install <package_name>

openSUSE Leap / SUSE Linux Enterprise Server 15 SP3:

sudo zypper install <package_name>

2. Navigate to your existing Rublon SSH installation location, and place the pam_rublon.so file in /usr/lib64/security/.

3. Navigate to the /etc/pam.d folder and create a file named rublon with the following contents:

auth required pam_env.so 
auth requisite pam_unix.so 
auth sufficient pam_rublon.so 
auth required pam_deny.so

4. Navigate to /usr/openv/netbackup/sec/at/bin/ and run the following command:

sudo ./vssat updateplugin --pluginname pam --attribute ServiceName --value "rublon" -t string

In the preceding command, rublon is the name of the file that was created in the /etc/pam.d/ folder.

5. Create the /usr/openv/netbackup/pam_service.txt file with the following contents:

rublon

6. Configure the module in /etc/rublon.config (nano /etc/rublon.config):

  • Paste the values of the System Token and Secret Key from the application with the type Linux SSH added in the Applications tab of the Rublon Admin Console that you have copied before.
  • In the /etc/rublon.config file, set nonInteractiveMode to “true”.
  • Adjust other options according to your preferences or leave the default values. Refer to Updating the Configuration File for more information about each option.

7. Your configuration is now complete. You can log in to Veritas NetBackup with Rublon MFA.

Updating the Configuration File

The configuration file is located in the following location:

/etc/rublon.config
OptionDescription
systemTokenThe System Token of the application with the type Linux SSH added in the Applications tab of the Rublon Admin Console
secretKeyThe Secret Key of the application with the type Linux SSH added in the Applications tab of the Rublon Admin Console
rublonApiServerThe URL of the Rublon API.

Default: http://core.rublon.net
failModeEither “bypass” or “deny”. This option allows you to set what should happen in case of configuration errors or when the Rublon API is unreachable.

Default: “bypass”
promptThis option allows you to define the maximum number of authentication prompts displayed before access is denied. You can set this value to 1, 2, or 3. For the Default Authentication Method, such as Auto Push, it is recommended to set this option to 1 for optimal security.

Default: 1
loggingWhen set to “true”, this option allows the saving of event logs from the pam_rublon module to a file located under /var/log/rublon-ssh.log.

Default: “true”
autopushPromptIf the Default Authentication Method is set to Mobile Push and the autopushPrompt option is set to true, then every time your users choose the Mobile Push authentication method when logging in, they will be informed a push notification has been sent to their phone.

Default: “false”
nonInteractiveModeWhen set to “true”, the connector operates in a completely non-interactive mode. Instead of prompting the user to select an authentication method, it automatically chooses the first supported method by sequentially attempting methods in the following order: Push, Email, SMS Link, and Phone Call.

Default: “false”
proxyEnabledWhen set to “true”, enables proxy. When enabled, one of the following conditions must be met:

1. proxyType and proxyHost (plus optional proxyPort) are provided, or

2. Standard environment variables (e.g., HTTP_PROXY) are already set on the host OS.

If both are present, the explicit settings in this file override the environment variables.

Default: “false”
proxyTypeThe protocol or scheme that the proxy speaks.

Supported values:

HTTP – plain HTTP tunnel

Required if proxyEnabled is set to “true” and the client is not relying on environment variables.
proxyHostHostname or IP address of the proxy server.

Required when proxyEnabled is set to “true” and the client is not relying on environment variables.
proxyPortTCP port on which the proxy listens.

If omitted, the connector falls back to common defaults (HTTP = 8080).
proxyAuthRequiredWhen set to “true”, the proxy expects credentialed (Basic) authentication.

If enabled, both proxyUsername and proxyPassword must be provided.

Default: “false”
proxyUsernameUsername used for proxy authentication.

Required only when proxyAuthRequired is set to “true”.
proxyPasswordThe password of the proxy server user.

Required only when proxyAuthRequired is set to “true”.

Updating Rublon MFA for Veritas NetBackup

We recommend you leave at least one root shell session active and open while making any changes to your PAM configuration to prevent accidentally locking yourself out.

If you wish to update the Rublon SSH PAM module: 

1. Uninstall Rublon MFA for Veritas NetBackup.

2. Install Rublon MFA for Veritas NetBackup.

Uninstalling Rublon MFA for Veritas NetBackup

1. Remove the PAM file.

For Debian and Ubuntu, use:

sudo apt purge rublon-ssh-pam

For CentOS, AlmaLinux, Rocky Linux, and RHEL, use:

sudo yum remove rublon-ssh

For SUSE distributions, use:

sudo zypper remove rublon-ssh

Note

If the package is not found under this name, use the following command to locate the correct name:

yum list | grep rublon

Then, remove the discovered package with:

yum remove <found-package-name>

Testing of MFA for Veritas NetBackup

This example portrays logging in to the NetBackup Administration Console. The nonInteractiveMode option was set to “true” in the connector’s configuration file, and the user has enrolled their mobile device.

1. Open the NetBackup Administration Console.

2. Fill in the Host name, User name and Password fields.

3. Click Login.

4. You will be sent an automatic push notification on your phone.

5. Tap APPROVE.

6. You will be logged in to Veritas NetBackup.

Troubleshooting MFA for Veritas NetBackup

For troubleshooting tips, refer to Rublon MFA for SSH – Troubleshooting.

If you encounter any issues with your Rublon integration, please contact Rublon Support.

Related Posts

Rublon MFA for Veritas NetBackup – Release Notes

Rublon MFA for Veritas NetBackup – Download

Rublon MFA for Linux SSH – Release Notes

Rublon MFA for Linux SSH – Documentation