Secure SSH Using WiKID Two-Factor Authentication And TACACS+

These instructions are designed to help you configure and test using the WiKID TACACS+ protocol module via Linux PAM on Red Hat. This document has been updated to cover pam .99 and higher. We assume that you have already installed the open-source WiKID Strong Authentication Server Community Edition.

 TACACS+ is a Cisco protocol used to authentication users to networking equipment.   WiKID is a dual-source two-factor authentication system. PINs are encrypted on a software token and sent to the WiKID server. If the PIN is correct, the encryption valid and the account active, a one-time password is generated, encrypted and returned to the user's token where it is decrypted and presented for use with a network-based services.

First, edit your /etc/pam.d/sshd file to allow TACACS+ authentication:

auth       include      tacacs
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth

Next, install pam_tacplus:

You can download it here:
http://echelon.pl/pubs/pam_tacplus-1.2.9.tar.gz

$ tar xvfz pam_tacplus-1.2.9.tar.gz
$ make
# make install

Finally, create /etc/pam.d/tacacs:

#%PAM-1.0
auth       sufficient   /lib/security/pam_tacplus.so debug server=10.100.0.102 secret=support_secret encrypt
account    sufficient   /lib/security/pam_tacplus.so debug server=10.100.0.102 secret=support_secret encrypt service=shell protocol=ssh
session    sufficient   /lib/security/pam_tacplus.so debug server=10.100.0.102 secret=support_secret encrypt service=shell protocol=ssh

That should be it. You can test the configuration by logging in with a WiKID software token.

Related Tutorials:

Astaro and two-factor authentication from WiKID
Squid with two-factor authentication from WiKID
Freeradius and two-factor authentication from WiKID
How to install the WiKID Strong Authentication Server Community Edition