Secure SSH Using WiKID Two-Factor Authentication And TACACS+

Want to support HowtoForge? Become a subscriber!
 
Submitted by nowen (Contact Author) (Forums) on Thu, 2008-10-16 12:26. :: Linux | Security

Secure SSH Using WiKID Two-Factor Authentication And TACACS+

These instructions are designed to help you configure and test using the WiKID TACACS+ protocol module via Linux PAM on Red Hat. This document has been updated to cover pam .99 and higher. We assume that you have already installed the open-source WiKID Strong Authentication Server Community Edition.

 TACACS+ is a Cisco protocol used to authentication users to networking equipment.   WiKID is a dual-source two-factor authentication system. PINs are encrypted on a software token and sent to the WiKID server. If the PIN is correct, the encryption valid and the account active, a one-time password is generated, encrypted and returned to the user's token where it is decrypted and presented for use with a network-based services.

First, edit your /etc/pam.d/sshd file to allow TACACS+ authentication:

auth       include      tacacs
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth

Next, install pam_tacplus:

You can download it here:
http://echelon.pl/pubs/pam_tacplus-1.2.9.tar.gz

$ tar xvfz pam_tacplus-1.2.9.tar.gz
$ make
# make install

Finally, create /etc/pam.d/tacacs:

#%PAM-1.0
auth       sufficient   /lib/security/pam_tacplus.so debug server=10.100.0.102 secret=support_secret encrypt
account    sufficient   /lib/security/pam_tacplus.so debug server=10.100.0.102 secret=support_secret encrypt service=shell protocol=ssh
session    sufficient   /lib/security/pam_tacplus.so debug server=10.100.0.102 secret=support_secret encrypt service=shell protocol=ssh

That should be it. You can test the configuration by logging in with a WiKID software token.

 

 

 

Related Tutorials:

Astaro and two-factor authentication from WiKID
Squid with two-factor authentication from WiKID
Freeradius and two-factor authentication from WiKID
How to install the WiKID Strong Authentication Server Community Edition


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.