https://www.howtoforge.com/tutorial/how-to-configure-sudo-for-two-factor-authentication-using-pam-radius-on-ubuntu-and-centos
Attackers frequently use lost, stolen, weak or default credentials to escalate their privileges after they have infiltrated your network. While two-factor authentication can greatly reduce infiltration, there are other means of gaining entry such as malware. This tutorial shows how to add radius to sudo for Centos 7 and Ubuntu 14.04 for two-factor authentication with the WiKID Strong Authentication server. Using pam-radius is nice because it allows you to insert a radius server, such as Freeradius or NPS on Windows, so you can perform authorization in your directory and then authentication against a separate two-factor auth server. Managing your users in a central directory is a very good security practice. Note that since we are using RADIUS, this basic setup works for all enterprise-class 2FA systems.
Next, we need to tell sudo to use radius. Edit the file /etc/pam.d/sudo and replace "auth include system-auth" with:
Now, anytime an admin attempts to use sudo, they must enter their one-time passcode. PAM will forward the username and OTP to your radius server or your WiKID server for validation.
Using two-factor authentication for administrative accounts is a powerful tool for securing your network. It may even become part of the PCI DSS requirements.
Attackers frequently use lost, stolen, weak or default credentials to escalate their privileges after they have infiltrated your network. While two-factor authentication can greatly reduce infiltration, there are other means of gaining entry such as malware. This tutorial shows how to add radius to sudo for Centos 7 and Ubuntu 14.04 for two-factor authentication with the WiKID Strong Authentication server. Using pam-radius is nice because it allows you to insert a radius server, such as Freeradius or NPS on Windows, so you can perform authorization in your directory and then authentication against a separate two-factor auth server. Managing your users in a central directory is a very good security practice. Note that since we are using RADIUS, this basic setup works for all enterprise-class 2FA systems.
Configure sudo on Centos/RHEL for two-factor authentication
We will start on RHEL/Centos 7. Install the pre-requisites:
sudo yum -y install make gcc pam pam-devel
Get the latest PAM RADIUS code (1.4 as of this writing):
wget ftp://ftp.freeradius.org/pub/radius/pam_radius-x.x.x.tar.gz
Build the library:
tar -xzvf pam-radius-x.x.x.tar.gz cd pam-radius-x.x.x sudo ./configure sudo makeCopy the library to the proper location:
cp pam_radius_auth.so /lib/security/Or for 64bit:
cp pam_radius_auth.so /lib64/security/Create the configuration directory and copy the configuration file under the name 'server':
sudo mkdir /etc/raddb cp pam_radius_auth.conf /etc/raddb/serverEdit /etc/raddb/server and add your radius server IP and the shared secret to this file.
# server[:port] shared_secret timeout (s) 127.0.0.1 secret 1 radius_server_IP secret 3 # # having localhost in your radius configuration is a Good Thing.(Note that while we want the radius in the loop eventually, you can also user your WiKID server as the radius server, add this Centos box as a network client on WiKID, restart WiKID and be done or at least you can test this way. It's always a good idea to do some small tests along the way, just be sure to remove them.)
auth required pam_radius_auth.soThat's it for the Centos/RHEL 7 box. The same setup work for 5 and 6 too.
Configure sudo on Ubuntu for two-factor authentication
Next up is the Ubuntu 14.04 server. First, install pam-radius:sudo apt-get install libpam-radius-authConfigure it with the NPS server as well by editing /etc/pam_radius_auth.conf. So that it is the same as above:
# server[:port] shared_secret timeout (s) 127.0.0.1 secret 1 radius_server_IP secret 3 # # having localhost in your radius configuration is a Good Thing.Edit your /etc/pam.d/sudo file and add the line ' auth sufficient pam_radius_auth.so' above the comm-auth line:
auth required pam_env.so readenv=1 user_readenv=0 auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 auth sufficient pam_radius_auth.so @include common-auth @include common-account @include common-session-noninteractiveThat's is for the Ubuntu server.
Now, anytime an admin attempts to use sudo, they must enter their one-time passcode. PAM will forward the username and OTP to your radius server or your WiKID server for validation.
Using two-factor authentication for administrative accounts is a powerful tool for securing your network. It may even become part of the PCI DSS requirements.
No comments:
Post a Comment