Friday, July 8, 2016

How to configure sudo for two-factor authentication using pam-radius on Ubuntu and CentOS

https://www.howtoforge.com/tutorial/how-to-configure-sudo-for-two-factor-authentication-using-pam-radius-on-ubuntu-and-centos

Attackers frequently use lost, stolen, weak or default credentials to escalate their privileges after they have infiltrated your network. While two-factor authentication can greatly reduce infiltration, there are other means of gaining entry such as malware.  This tutorial shows how to add radius to sudo for Centos 7 and Ubuntu 14.04 for two-factor authentication with the WiKID Strong Authentication server.  Using pam-radius is nice because it allows you to insert a radius server, such as Freeradius or NPS on Windows, so you can perform authorization in your directory and then authentication against a separate two-factor auth server.  Managing your users in a central directory is a very good security practice.   Note that since we are using RADIUS, this basic setup works for all enterprise-class 2FA systems.

Configure sudo on Centos/RHEL for two-factor authentication

We will start on RHEL/Centos 7.   Install the pre-requisites:
sudo yum -y install make gcc pam pam-devel
Get the latest PAM RADIUS code (1.4 as of this writing):
wget ftp://ftp.freeradius.org/pub/radius/pam_radius-x.x.x.tar.gz
Build the library:
tar -xzvf pam-radius-x.x.x.tar.gz
cd pam-radius-x.x.x
sudo ./configure
sudo make
Copy the library to the proper location:
cp pam_radius_auth.so /lib/security/
Or for 64bit:
cp pam_radius_auth.so /lib64/security/
Create the configuration directory and copy the configuration file under the name 'server':
sudo mkdir /etc/raddb
cp pam_radius_auth.conf /etc/raddb/server
Edit /etc/raddb/server and add your radius server IP and the shared secret to this file.
# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
radius_server_IP    secret             3
#
# having localhost in your radius configuration is a Good Thing.
(Note that while we want the radius in the loop eventually, you can also user your WiKID server as the radius server, add this Centos box as a network client on WiKID, restart WiKID and be done or at least you can test this way.  It's always a good idea to do some small tests along the way, just be sure to remove them.)
Next, we need to tell sudo to use radius.  Edit the file /etc/pam.d/sudo and replace "auth       include      system-auth" with:
auth       required      pam_radius_auth.so
That's it for the Centos/RHEL 7 box.  The same setup work for 5 and 6 too.

Configure sudo on Ubuntu for two-factor authentication

Next up is the Ubuntu 14.04 server.  First, install pam-radius:
sudo apt-get install libpam-radius-auth
Configure it with the NPS server as well by editing /etc/pam_radius_auth.conf.  So that it is the same as above:
# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
radius_server_IP   secret             3
#
# having localhost in your radius configuration is a Good Thing.
Edit your /etc/pam.d/sudo file and add the line ' auth sufficient pam_radius_auth.so' above the comm-auth line:
auth       required   pam_env.so readenv=1 user_readenv=0
auth       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
auth sufficient pam_radius_auth.so
@include common-auth
@include common-account
@include common-session-noninteractive
That's is for the Ubuntu server.  
Now, anytime an admin attempts to use sudo, they must enter their one-time passcode.   PAM will forward the username and OTP to your radius server or your WiKID server for validation.
Using two-factor authentication for administrative accounts is a powerful tool for securing your network. It may even become part of the PCI DSS requirements

No comments:

Post a Comment