Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Server Operation

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 23rd March 2008, 12:22
mchuahan mchuahan is offline
Junior Member
 
Join Date: Mar 2008
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default Configure the SSH Gateway + Wiki-D

Hi,

I have installed the WIKi-D server from the VMware image downloaded from the wikidsystem and i have also created the Network client and enabled the radius protocol according the guide line provied by wikidsystem.

internal IP Address of the WiKi-d server is 10.1.1.18 and we have another server the IP address of that server 10.1.1.20, we want to configure that server as the SSH Gateway and we want to Secure your SSH deployment with WiKID two-factor authentication. We are not able to connect with the wikid server and even i am not getting any error message in the log files. when i install the requied packages for radius by using yum command but this /etc/raddb/server is not aviable. Could some one please help me how can i configure the SSH gateway server.

Thanks
Manoj
Reply With Quote
Sponsored Links
  #2  
Old 24th March 2008, 16:27
nowen nowen is offline
Junior Member
 
Join Date: Jan 2007
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default

This apparently has been worked out, though I was not told what the solution was. It apparently was an issue with pam_radius on the gateway which caused the one-time passcodes to become alphanumeric before reaching the WiKID server.

Manoj: Can you post the solution?

Nick
__________________
--
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
Reply With Quote
  #3  
Old 27th March 2008, 07:29
mchuahan mchuahan is offline
Junior Member
 
Join Date: Mar 2008
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
Default

Sure, i will post the solution.
Reply With Quote
  #4  
Old 1st April 2008, 10:10
mchuahan mchuahan is offline
Junior Member
 
Join Date: Mar 2008
Posts: 10
Thanks: 0
Thanked 1 Time in 1 Post
 
Default

Installing and Configuring Freeradius

No matter what Linux variant you are running, there is probably a package for Freeradius. For Fedora, installing via Yum is simple:

#yum install freeradius

Configuring Freeradius is fairly straight-forward. There are a lot of options, though. The key is to only change the minimal items that you understand. The default settings work, so make small changes and test them. We will modify three files. The /etc/raddb/clients.conf file tells Freeradius which clients to accept. The proxy.conf file tells Freeradius to send the authentication packets to the WiKID server and the radiusd.conf file configures the main Freeradius server.

First, edit the /etc/raddb/clients.conf file:
vi /etc/raddb/clients.conf
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other
}
Note: No change in the existing file /etc/raddb/clients.conf, keep the original configuration as is it.
All you need to change for now is the shared secret as we will login to the Freeradius server via SSH as our test.
Next, validate that requests can be proxied in the radiusd.conf file. This was the case on Fedora.CentOS etc:
vi /etc/raddb/radiusd.conf
proxy_requests = yes
$INCLUDE ${confdir}/proxy.conf
Finally, add the WiKID Strong Authentication server as a valid proxy in proxy.conf:
Note: No change in the existing file /etc/raddb/radiusd.conf, keep the original configuration as is it.
vi /etc/raddb/proxy.conf
#realm LOCAL {
# type = radius
# authhost = LOCAL
# accthost = LOCAL
#}

Note: Comment all above lines in the /etc/raddb/proxy.conf file and add the following lines at the bottom of the /etc/raddb/proxy.conf file
realm NULL {
type = radius
authhost = 10.1.1.18:1812
(IP Address of the WiKi-D server and port in which wiki-d server listening)
# accthost = WIKIDSERVER_IP:1813
secret = n0tfsaOKrDj (shared_secret to your WiKID server)
}
Needless to say, change WIKIDSERVER_IP and shared_secret to your WiKID server IP and shared secret. It probably should be different than the shared secret used for the client.
For additional security, you should lock down ownership of these flies:
chmod a-rwx,u+r /etc/raddb/proxy.conf
chmod a-rwx,u+r /etc/raddb/clients.conf
Now start Freeradius:


service radiusd start
Or
#/etc/init.d/ radiusd start
Configuring PAM SSH
First, you need to install PAM Radius. There is excellent documentation on this at the PAM Radius home page. Depending on your distribution, you might also be able to find a suitable binary. I had no trouble compiling this on Fedora 7 and CentOS:
#./configure
# make
# make install
Note: We can install the PAM radius by using the Yum command
#yum install pam-* or we can install it by using the above commands.
Please download the pam_radius-1.3.17.tar.gz source file from the above sites.
#tar xfz pam_radius-1.3.17.tar.gz
#make
Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so
#cp pam_radius_auth.so to /lib/security/pam_radius_auth.so
vi /etc/pam.d/sshd

#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
The “sufficient” tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. Use "Required" to require strong authentication. Because we are only editing the sshd file, it will not affect terminal log-ins. PAM can be very different on different linux variants. Consult the specific documentation for your OS.
You will need a server configuration file. An example is given in the file pam_radius_auth.conf. You will need to copy this file to /etc/raddb/server. The file MUST be secure! i.e.
chown root /etc/raddb
chmod go-rwx /etc/raddb
chmod go-rwx /etc/raddb/server

vi /etc/raddb/server

# server[ort] shared_secret timeout (s)
#Below the line:
127.0.0.1 secret 1
#other-server other-secret 3
#Add this line:
localhost n0tfsaOKrD 1
Finally, I made sure that PublicKey authentication was turned off in /etc/ssh/sshd_config:
PubkeyAuthentication no

Let's add some security to SSH configuration here too. Open your /etc/ssh/sshd_config (not the nearby ssh_config file). Add these configuration options:

#Protocol 2,1
#Check that only protocol 2 is allowed:
Protocol 2
#Disallow root login:
PermitRootLogin no
#Disallow accounts without passwords:
PermitEmptyPasswords no

If you want to change the port you can. It won't stop an attacker, but it might cut down on log events caused by script kiddies. This gateway box is now set to use WiKID one-time passwords for SSH authentication. All users have to be registered with the WiKID server and no one can login as root. Before we leave this box, we'll do something that is a little bit different - we will have the users create their RSA private key on the gateway. Once each users is signed into the box with WiKID, have them create their keys:
ssh-keygen -t rsa
In my opinion, passphrases for these keys are redundant. They are here only to create a single sign on functionality into the server farm. Obviously, you must be careful to be sure that users do not have access to other keys.





Configuring the WiKID Server
Now, we'll configure the WiKID server to process the one-time passwords from Freeradius. We assume that you also need to set up a new WiKID domain. If you already have one, you may skip this part. Additional WiKID installation documentation is available here.
Log into the WiKID server and click on the Domains Tab.
Click on Create a New Domain.
Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is 216.239.51.99, the WiKID server code would be 216239051099. Click "Create". (Obviously, if you already have a domain setup, you can skip this step.)
Click Network Clients tab and on "Create a new Network Client".
Enter the information requested. For the IP Address, use the IP address of the Freeradius server. Select Radius and the domain you just created. Click "Add" when you're finished.
On the next page, enter the shared secret you entered in the /etc/raddb/proxy.conf file of the Freeradius server. Do not have to enter any information under "Return Attributes".
Important: From the WiKID terminal or via SSH, you will need to run "wikidctl stop" and then "wikidcl start" to load the new configuration into the WiKID Radius server. (WiKID 2.0 users just run "stop" and "start".)
Testing Freeradius with one-time passwords
Download and install a WiKID Token client. You can manually validate yourself as a user from the WiKIDAdmin web interface. Once validated, select the Domain associated with the Freeradius resource:

Enter the PIN:

And you will get back the one-time passcode. The OTP is time-bounded, but the time can be set on the WiKID server to whatever you want:

Now, ssh to your Freeradius box:
ssh user@freeradius_server
When prompted, enter the WiKID one-time password - it should have automatically been pasted to your clip-board so ctrl-c or shift-ins should work. You should be granted access. If not, there a number of logs to consult. First, check /var/log/secure on your Freeradius server to see why the user was rejected. If you see "All RADIUS servers failed to respond." make sure that radiusd is running on port 1812. Check Freeradius's logs at /var/log/radius/radius.log and the WiKID radius log at /opt/WiKID/log/radius.log on the WiKID server.
Reply With Quote
The Following User Says Thank You to mchuahan For This Useful Post:
falko (2nd April 2008)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Error compile Courier-Authlib pcom11 Server Operation 1 29th September 2007 12:15
Wiki PoleCat General 13 9th July 2007 20:52
few question about pure-FTP and SSH and Postfix Zbych Server Operation 1 10th February 2007 20:41
SSH port forwarding (SQLYog Tunnel) mastorna Server Operation 0 22nd June 2006 01:16
ISPConfig wiki site sabotaged repeatedly Azathoth General 2 20th December 2005 12:45


All times are GMT +2. The time now is 07:19.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.