SSH offers a highly secure channel for remote administration of servers. However, if you face an audit for regulatory or business requirements, such as Visa/Mastercard PCI, you need to be aware of some potential authentication related short-comings that may cause headaches in an audit. For example:
- There is no way to control which users have public key authorization
- There is no way to enforce passphrase complexity (or even be sure that one is being used)
- There is no way to expire a public key
In this document we will show you how to configure SSH for two-factor authentication from WiKID using pam_radius.
Configuring PAM to use pam_radius:
First, you need to install PAM Radius. There is excellent documentation on this at the PAM Radius home page. Depending on your distribution, you might also be able to find a suitable binary. I had no trouble compiling this on Fedora 7:
# ./configure # make # make install
Edit /etc/pam.d/sshd to allow Radius authentication:
vi /etc/pam.d/sshd
Go to the second line of the file, hit the Insert key or the i key and insert this line:
auth sufficient /lib/security/pam_radius_auth.so
just above this line:
auth required pam_stack.so service=system-auth
The “sufficient” tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. Use "Required" to require strong authentication. Because we are only editing the sshd file, it will not affect terminal log-ins. PAM can be very different on different linux variants. Consult the specific documentation for your OS.
Configure pam_radius to use WiKID:
Edit or create your /etc/raddb/server file:
vi /etc/raddb/server
Below the line:
127.0.0.1 secret 1
Add this line:
WiKID_server_ip shared_secret 1
Finally, I made sure that PublicKey authentication was turned off in /etc/sshd/sshd_config:
PubkeyAuthentication no
Configure a Network Client for the SSH server:
On the WiKID server web-interface, click Network Clients tab and on "Create a new Network Client".
Enter the information requested. For the IP Address, use the IP address of the SSH target server. Select Radius and the domain you want for this SSH server. Click "Add" when you're finished.
On the next page, enter the shared secret you entered in the /etc/raddb/server file of the target server. Do not have to enter any information under "Return Attributes".
Important: From the WiKID terminal or via SSH, you will need to run "wikidctl stop" and then "wikidcl start" to load the new configuration into the WiKID Radius server. (WiKID 2.0 users just run "stop" and "start".)
Testing your SSH setup
Now, ssh to your target server:
ssh user@target_server
When prompted, enter the WiKID one-time password - it should have automatically been pasted to your clip-board so ctrl-v or shift-ins should work. You should be granted access. If not, there a number of logs to consult. First, check /var/log/secure on your target server to see why the user was rejected. You can also check the WiKID radius log at /opt/WiKID/log/radius.log on the WiKID server or through the logs on the WiKIDADmin interface. You can turn debugging on for Radius on the Configuration >> Enable Protocols >> Radius page.