SSH offers a highly secure channel for remote access. However, if you face an audit for regulatory or business requirements, such as Visa/Mastercard PCI, you need to be aware of some potential authentication related short-comings that may cause headaches in an audit. For example:
- There is no way to control which users have public key authorization
- There is no way to enforce passphrase complexity (or even be sure that one is being used)
- There is no way to expire a public key
VanDyke Software is the creator of a number of secure remote access tools, including the VShell server, SecureCRT, an industrial strength SSH client, and SecureFX a feature rich SFTP client.
The WiKID Strong Authentication System is an inexpensive, easy to use, extensible and highly secure two-factor authentication system. It is software-based with token support for Windows, Mac, Linux, Blackberry, Palm, Windows Mobile and J2ME devices. The server is simple to install and configure as is adding new users. In fact, users can optionally validate themselves based on existing trusted credentials. It is extremely well-suited for companies seeking PCI compliance or that often have non-employees who need secure access, such as customers or contractors. In this tip, we will show you how simple it is to add support for WiKID one-time passcodes to the VShell server on Linux.
Setting up the Vshell Server for radius
First, be sure to install pam_radius on the VShell server box.
Make a back up of your /etc/pam.d/vshelld:
/etc/pam.d/vshelld /etc/pam.d/vshelld.orig
Enable radius in your vshelld file. Here is an example:
#%PAM-1.0 auth required /lib/security/pam_radius_auth.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient /lib/security/pam_radius_auth.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth
These settings require both an account on the server (the second line) and a valid response from the WiKID server (the first line). Now, edit the /etc/raddb/server file to point to the WiKID Strong Authentition server:
# server[:port] shared_secret timeout (s) 127.0.0.1 secret 1 wikidserverIP wikid_secret 3
Configuring the WiKID Server
First, we will configure a domain on the WiKID server, then add the VShell Server as a network client to the WiKID server.
A WiKID domain manages the relationship with WiKID users and specifies security parameters such as minimum PIN length, passcode lifetime, maximimum bad PIN and passcode attempts, etc. The server can handle an unlimited number of domains. Because WiKID uses public key pairs instead of shared secrets like most one-time password systems, the token clients can also handle an unlimited number of domains accross multiple WiKID servers - even across different companies - with no loss of security.
To add the domain, log into the WiKIDAdmin web interface, click on the Domains Tab and select Create New Domain. Enter in the required information (leave the registered URL box blank - it is only for mutual authentication of https sites). Also, leave TACACS+ and Password Reset Domain boxes unchecked. The domain identifier is the zero-padded IP address of the WiKID server.
Next we set up the VShell Server as a Network Client on the WiKID server. Click on the Network Clients Tab and select "Create A New Network Client. Enter a name for it, the IP address of the VShell server, select Radius as the protocol and select the domain you just created. Clicking Add will bring up the Radius parameters. Enter the shared secret you used in the /etc/raddb/server file. Leave the return attributes box empty (unless you really know what you're doing). Click Add to complete. Now, you need to restart the WiKID server so the network client can be loaded into the WiKID server's firewall settings.
Testing WiKID and Vshell
Start the WiKID token client. Select Actions/New Domain and enter the 12 digit identifier used in the domain creation. You will be asked to set your PIN and you will get a registration code back from the server. To manually validate this token, go the WiKIDAdmin web interface, click the Users tab and Manually Validate a user. You will see the registration code. Click it and enter your desired username - remember the user should also have an account on the Vshell server as specified in the /etc/pam.d/vshelld file. Now the server will accept one-time passcodes from this token. On the token client, select Get Passcode and enter your PIN. The returned one-time passcode is automatically copied into the clipboard. Start up an ssh client, such as SecureCRT, and log into the VShell server. When prompted for a password, hit Control-V and enter. If all goes well, you should be in!
More informatin
For a free 30-day trial of the WiKID server, please visit our site. Pricing for the WiKID server starts at $240 per year. Complete pricing information is available here.