Configuring SSH To Use Freeradius And WiKID For Two-Factor Authentication

Want to support HowtoForge? Become a subscriber!
 
Submitted by nowen (Contact Author) (Forums) on Mon, 2007-12-03 13:20. :: Security

Configuring SSH To Use Freeradius And WiKID For Two-Factor Authentication 

Radius is a great standard. It is powerful enough to accomplish a great deal and simple enough to be easy to handle. Freeradius is an excellent, open source radius server that ships with many Linux variants. It is well documented and well supported. The WiKID Strong Authentication server is a commercial/open source two-factor authentication system that uses public key encryption to transmit PINs and one-time passcodes securely to software tokens running on Blackberries, cell phones, Palms, PocketPCs or, using the J2SE client, Linux, Macs and Windows PCs. You can think of WiKID like certificates, but without the hassles of white lists/black lists and more secure - because the PIN is validated on the server preventing offline brute-force attacks.

Companies that need to meet requirements, such as PCI-DSS or HIPAA, may need to secure their networks with two-factor authentication and tightly controlled access. Combining Freeradius and WiKID is a highly cost-effective way to accomplish that.

In this example, I am installing Freeradius on Fedora Core 7 and running the 3.0RC2 rpms of WiKID on Centos5 (however, the same instructions will work for the 2.0 version of WiKID.) We'll be testing with SSH, however, the same setup should work for Apache, WebDAV, OpenVPN, and any other application that supports PAM.

Installing and Configuring Freeradius

No matter what Linux variant you are running, there is probably a package for Freeradius. For Fedora, installing via Yum is simple:

yum install freeradius

Configuring Freeradius is fairly straight-forward. There are a lot of options, though. The key is to only change the minimal items that you understand. The default settings work, so make small changes and test them. We will modify three files. The /etc/raddb/clients.conf file tells Freeradius which clients to accept. The proxy.conf file tells Freeradius to send the authentication packets to the WiKID server and the radiusd.conf file configures the main Freeradius server.

First, edit the /etc/raddb/clients.conf file:

vi /etc/raddb/clients.conf

client 127.0.0.1 {
        secret          = shared_secret
        shortname       = localhost
        nastype     = other
}

All you need to change for now is the shared secret as we will login to the Freeradius server via SSH as our test.

Next, validate that requests can be proxied in the radiusd.conf file. This was the case on Fedora:

vi /etc/raddb/radiusd.conf

proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf

Finally, add the WiKID Strong Authentication server as a valid proxy in proxy.conf:

vi /etc/raddb/proxy.conf

#  This realm is for requests which don't have an explicit realm
#  prefix or suffix.  User names like "bob" will match this one.
#
realm NULL {
        type            = radius
        authhost        = WIKIDSERVER_IP:1812
#       accthost        = WIKIDSERVER_IP:1813
        secret          = shared_secret
}

Needless to say, change WIKIDSERVER_IP and shared_secret to your WiKID server IP and shared secret. It probably should be different than the shared secret used for the client.

For additional security, you should lock down ownership of these flies:

chmod a-rwx,u+r /etc/raddb/proxy.conf

chmod a-rwx,u+r /etc/raddb/clients.conf

Now start Freeradius:

service radiusd start

Configurng PAM SSH

First, you need to install PAM Radius. There is excellent documentation on this at the PAM Radius home page. Depending on your distribution, you might also be able to find a suitable binary. I had no trouble compiling this on Fedora 7:

# ./configure
# make
# make install

Edit /etc/pam.d/sshd to allow Radius authentication:

vi /etc/pam.d/sshd

Go to the second line of the file, hit the Insert key or the i key and insert this line:

auth     sufficient   /lib/security/pam_radius_auth.so 

just above this line:

auth     required     pam_stack.so service=system-auth

The “sufficient” tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. Use "Required" to require strong authentication. Because we are only editing the sshd file, it will not affect terminal log-ins. PAM can be very different on different linux variants. Consult the specific documentation for your OS.

Edit or create your /etc/raddb/server file:

vi /etc/raddb/server

Below the line:

127.0.0.1   secret        1

Add this line:

localhost   shared_secret     1

Finally, I made sure that PublicKey authentication was turned off in /etc/sshd/sshd_config:

PubkeyAuthentication no

Configuring the WiKID Server

Now, we'll configure the WiKID server to process the one-time passwords from Freeradius. We assume that you also need to set up a new WiKID domain. If you already have one, you may skip this part. Additional WiKID installation documentation is available here.

Log into the WiKID server and click on the Domains Tab.

Click on Create a New Domain.

Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is 216.239.51.99, the WiKID server code would be 216239051099. Click "Create". (Obviously, if you already have a domain setup, you can skip this step.)

Click Network Clients tab and on "Create a new Network Client".

Enter the information requested. For the IP Address, use the IP address of the Freeradius server. Select Radius and the domain you just created. Click "Add" when you're finished.

On the next page, enter the shared secret you entered in the /etc/raddb/proxy.conf file of the Freeradius server. Do not have to enter any information under "Return Attributes".

Important: From the WiKID terminal or via SSH, you will need to run "wikidctl stop" and then "wikidcl start" to load the new configuration into the WiKID Radius server. (WiKID 2.0 users just run "stop" and "start".)

Testing Freeradius with one-time passwords

Download and install a WiKID Token client. You can manually validate yourself as a user from the WiKIDAdmin web interface. Once validated, select the Domain associated with the Freeradius resource:

token1.jpg

Enter the PIN:

token2.jpg

And you will get back the one-time passcode. The OTP is time-bounded, but the time can be set on the WiKID server to whatever you want:

token3.jpg

Now, ssh to your Freeradius box:

ssh user@freeradius_server

When prompted, enter the WiKID one-time password - it should have automatically been pasted to your clip-board so ctrl-c or shift-ins should work. You should be granted access. If not, there a number of logs to consult. First, check /var/log/secure on your Freeradius server to see why the user was rejected. If you see "All RADIUS servers failed to respond." make sure that radiusd is running on port 1812. Check Freeradius's logs at /var/log/radius/radius.log and the WiKID radius log at /opt/WiKID/log/radius.log on the WiKID server.

An Alternative Configuration: Freeradius as a back-up

One of the benefits of using PAM Radius is that servers can be chained in the /etc/raddb/server file. If the top servers fail to respond, the next server will try to authenticate the user. To clarify: if the first server responds with an authentication failure, the user is rejected. Only if the there is no response will the second radius server be checked. This backup capability can be especially handy if your WiKID server is located in a remote datacenter. By configuring PAM to talk directly to WiKID and failing back to Freeradius, you create a fail-over solution in the event of a hardware failure.

First, change the /etc/raddb/server file to point to the WiKID server first, then the Freeradius server running on localhost second:

# server[:port] shared_secret      timeout (s)
127.0.0.1:1812        shared_secret        1
WIKIDSERVER_IP:1812   shared_secret      3
localhost:1812        shared_secret          2
  

I had to make some minor changes to get Freeradius working with /etc/passwd. First, I had to change radiusd's group /etc/raddb/radiusd.conf to shadow:

user = radiusd
group = shadow

Then I had to give shadow permissions for /etc/passwd:

chgrp shadow /etc/shadow

chmod g+r /etc/shadow

Now, if the WiKID server fails for some reason you have an automatic fall-back to your /etc/passwd file.

Conclusion

Radius is an excellent standard for authentication of remote users. Combining Freeradius with WiKID Strong Authentication creates a powerful, flexible and secure solution.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Thu, 2011-04-07 20:48.

Hi,

I would like your help on understanding how exactly or where is FreeRadius a well documented radius server.

I have been trying for 6 days now to make freeradius2 work on RHEL/CentOS systems with LDAP and pam_radius for SSH logins and mostly failed - my efforts were mostly try and fail actions as there really is no real documentation on this subject.

FreeRadius home page is just giving enough to almost make you buy the books on freeradius they are selling. The mail list usually contains several times the same questions I have and the answers are usually not helpfull at all. This FreeRadius stuff is suppose to "just work" as they said on several ocasions but it just does not! Only the basic things, which are useless are working as is....

Can  you please let me know where exactly have you managed to find real documentation on free radius?

 

Thanks,

Adi

Submitted by Anonymous (not registered) on Fri, 2010-04-30 19:33.
Definitely going to be trying my hand at this over the weekend. I gave RSA a grilling over why there isn't enough multi-factor auth single-sign on in use, so it would be hypocritical of me not to be running something like this at home.