Securing SSH On Ubuntu With WiKID Two-Factor Authentication

Want to support HowtoForge? Become a subscriber!
 
Submitted by nowen (Contact Author) (Forums) on Wed, 2011-06-01 17:49. :: Ubuntu | Security

Securing SSH On Ubuntu With WiKID Two-Factor Authentication

SSH offers a highly secure channel for remote administration of servers. However, if you face an audit for regulatory or business requirements, such as Visa/Mastercard PCI, you need to be aware of some potential authentication related short-comings that may cause headaches in an audit. For example:

  • There is no way to control which users have public key authorization
  • There is no way to enforce passphrase complexity (or even be sure that one is being used)
  • There is no way to expire a public key

In this document we are going to demonstrate how to combine two-factor authentication from WiKID on Ubuntu. The WiKID Strong Authentication System is a commercial/open source two-factor authentication solution. First, we will configure a domain on the WiKID server, then add the  targeted server as network clients to the WiKID server, and finally configure the Ubuntu box via pam-radius.

The WiKID Strong Authentication server is now available for Ubuntu. Please see the installation instructions for the .deb package and the complete installation manual.  We assume your server is up and running and you are ready to implement two-factor authentication in your environment.

 

Adding A Domain To The WiKID Server

 

Create A Network Client

After saving the domain information, click on the Network Client tab and Create New Network Client. Enter a name for this client and the IP Address of the SSH gateway on the internal network. Select Radius as the protocol and the domain you created above as the domain.

Click Add to get the next page and enter the shared secret for Radius.

You will need to repeat this process for each server on your network.

 

Configure SSH On Your Ubuntu Box

Now we will configure SSH on the target machine. Each flavor of linux handles PAM slightly differently.  This tutorial covers how to install pam-radius for two-factor authentication on Ubuntu. For instructions on how to install pam-radius on Redhat flavors, see this page.

First, install the package:

$ sudo apt-get install libpam-radius-auth

That was pretty painless. Now let's configure it.  First, let's tell pam_radius which radius server to talk to:

$ sudo vim /etc/pam_radius_auth.conf

Note that the file says to copy it to /etc/raddb/server, but DO NOT do that. 

Edit the line "other-server    other-secret       3"  replacing 'other-server' with IP address or hostname of your WiKID Strong Authentication server (or radius server if you have one set up in between WiKID and your servers) and change 'other-secret' the shared secret for this network client.

Now that the package is setup and pointing to your WiKID server, let's configure a service to use it. 

Edit your /etc/pam.d/sshd file and add the line:

auth       sufficient  pam_radius_auth.so

Just above:

# Standard Un*x authentication.
@include common-auth

Now, you are ready to test. I recommend you run 'tail -f /var/log/auth.log' while you test.

Note that we have not made any changes to the account setup, so the user is expected to have a local account on the machine or you can configure account to use pam_ldap and point it to your AD/LDAP server.

Remote SSH is now extremely secure. No user can get access to the server without first getting a one-time passcode from the WiKID server. The two-factors of authentication are possession of the WiKID token (and it's cryptographic key) and knowledge of the PIN. Because the PIN is validated on the WiKID server, it is very easy to disable a user. Everything is logged and any auditor should be very pleased.

Additionally, you could require a WiKID one-time passcode for root access on internal machines. Just create create a new domain for su and edit /etc/pam.d/su appropriately. This will also allow you to break the servers into different groups for management. Just create For example, if you have a set of servers for HR to which only certain admins have root access, they can be configured for a specific WiKID domain - allowing fine grained access control and strong authentication. Get more information on two-factor authentication from WiKID website.


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Thu, 2011-06-02 23:12.
To control which users have public key authorization
    With OpenSSH 4.3p2 and above you can use the Match conditional block to define which users have public key authorization

    In sshd_config add
    Match User root
      PubkeyAuthentication no


To enforce passphrase complexity
    In sshd_config set
    UsePAM yes

    Configure pam_cracklib.so for the password complexity
     /etc/pam.d/system-auth-ac
     pam_cracklib.so try_first_pass reject_username retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
    http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html


To expire a public key
    sshd_config option RevokedKeys is a way of expiring public keys.

Submitted by Dan (not registered) on Wed, 2011-09-14 11:09.
+1 Great comment! Of course you can do all that in OpenSSH Server!