Configure the SSH Gateway + Wiki-D

Discussion in 'Server Operation' started by mchuahan, Mar 23, 2008.

  1. mchuahan

    mchuahan New Member


    I have installed the WIKi-D server from the VMware image downloaded from the wikidsystem and i have also created the Network client and enabled the radius protocol according the guide line provied by wikidsystem.

    internal IP Address of the WiKi-d server is and we have another server the IP address of that server, we want to configure that server as the SSH Gateway and we want to Secure your SSH deployment with WiKID two-factor authentication. We are not able to connect with the wikid server and even i am not getting any error message in the log files. when i install the requied packages for radius by using yum command but this /etc/raddb/server is not aviable. Could some one please help me how can i configure the SSH gateway server.

  2. nowen

    nowen New Member HowtoForge Supporter

    This apparently has been worked out, though I was not told what the solution was. It apparently was an issue with pam_radius on the gateway which caused the one-time passcodes to become alphanumeric before reaching the WiKID server.

    Manoj: Can you post the solution?

  3. mchuahan

    mchuahan New Member

    Sure, i will post the solution.
  4. mchuahan

    mchuahan New Member

    Installing and Configuring Freeradius

    No matter what Linux variant you are running, there is probably a package for Freeradius. For Fedora, installing via Yum is simple:

    #yum install freeradius

    Configuring Freeradius is fairly straight-forward. There are a lot of options, though. The key is to only change the minimal items that you understand. The default settings work, so make small changes and test them. We will modify three files. The /etc/raddb/clients.conf file tells Freeradius which clients to accept. The proxy.conf file tells Freeradius to send the authentication packets to the WiKID server and the radiusd.conf file configures the main Freeradius server.

    First, edit the /etc/raddb/clients.conf file:
    vi /etc/raddb/clients.conf
    client {
    secret = testing123
    shortname = localhost
    nastype = other
    Note: No change in the existing file /etc/raddb/clients.conf, keep the original configuration as is it.
    All you need to change for now is the shared secret as we will login to the Freeradius server via SSH as our test.
    Next, validate that requests can be proxied in the radiusd.conf file. This was the case on Fedora.CentOS etc:
    vi /etc/raddb/radiusd.conf
    proxy_requests = yes
    $INCLUDE ${confdir}/proxy.conf
    Finally, add the WiKID Strong Authentication server as a valid proxy in proxy.conf:
    Note: No change in the existing file /etc/raddb/radiusd.conf, keep the original configuration as is it.
    vi /etc/raddb/proxy.conf
    #realm LOCAL {
    # type = radius
    # authhost = LOCAL
    # accthost = LOCAL

    Note: Comment all above lines in the /etc/raddb/proxy.conf file and add the following lines at the bottom of the /etc/raddb/proxy.conf file
    realm NULL {
    type = radius
    authhost =
    (IP Address of the WiKi-D server and port in which wiki-d server listening)
    # accthost = WIKIDSERVER_IP:1813
    secret = n0tfsaOKrDj (shared_secret to your WiKID server)
    Needless to say, change WIKIDSERVER_IP and shared_secret to your WiKID server IP and shared secret. It probably should be different than the shared secret used for the client.
    For additional security, you should lock down ownership of these flies:
    chmod a-rwx,u+r /etc/raddb/proxy.conf
    chmod a-rwx,u+r /etc/raddb/clients.conf
    Now start Freeradius:

    service radiusd start
    #/etc/init.d/ radiusd start
    Configuring PAM SSH
    First, you need to install PAM Radius. There is excellent documentation on this at the PAM Radius home page. Depending on your distribution, you might also be able to find a suitable binary. I had no trouble compiling this on Fedora 7 and CentOS:
    # make
    # make install
    Note: We can install the PAM radius by using the Yum command
    #yum install pam-* or we can install it by using the above commands.
    Please download the pam_radius-1.3.17.tar.gz source file from the above sites.
    #tar xfz pam_radius-1.3.17.tar.gz
    Copy '' to /lib/security/
    #cp to /lib/security/
    vi /etc/pam.d/sshd

    auth sufficient /lib/security/
    auth required service=system-auth
    auth required
    account required service=system-auth
    password required service=system-auth
    session required service=system-auth
    session required
    The “sufficient” tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. Use "Required" to require strong authentication. Because we are only editing the sshd file, it will not affect terminal log-ins. PAM can be very different on different linux variants. Consult the specific documentation for your OS.
    You will need a server configuration file. An example is given in the file pam_radius_auth.conf. You will need to copy this file to /etc/raddb/server. The file MUST be secure! i.e.
    chown root /etc/raddb
    chmod go-rwx /etc/raddb
    chmod go-rwx /etc/raddb/server

    vi /etc/raddb/server

    # server[:port] shared_secret timeout (s)
    #Below the line: secret 1
    #other-server other-secret 3
    #Add this line:
    localhost n0tfsaOKrD 1
    Finally, I made sure that PublicKey authentication was turned off in /etc/ssh/sshd_config:
    PubkeyAuthentication no

    Let's add some security to SSH configuration here too. Open your /etc/ssh/sshd_config (not the nearby ssh_config file). Add these configuration options:

    #Protocol 2,1
    #Check that only protocol 2 is allowed:
    Protocol 2
    #Disallow root login:
    PermitRootLogin no
    #Disallow accounts without passwords:
    PermitEmptyPasswords no

    If you want to change the port you can. It won't stop an attacker, but it might cut down on log events caused by script kiddies. This gateway box is now set to use WiKID one-time passwords for SSH authentication. All users have to be registered with the WiKID server and no one can login as root. Before we leave this box, we'll do something that is a little bit different - we will have the users create their RSA private key on the gateway. Once each users is signed into the box with WiKID, have them create their keys:
    ssh-keygen -t rsa
    In my opinion, passphrases for these keys are redundant. They are here only to create a single sign on functionality into the server farm. Obviously, you must be careful to be sure that users do not have access to other keys.

    Configuring the WiKID Server
    Now, we'll configure the WiKID server to process the one-time passwords from Freeradius. We assume that you also need to set up a new WiKID domain. If you already have one, you may skip this part. Additional WiKID installation documentation is available here.
    Log into the WiKID server and click on the Domains Tab.
    Click on Create a New Domain.
    Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is, the WiKID server code would be 216239051099. Click "Create". (Obviously, if you already have a domain setup, you can skip this step.)
    Click Network Clients tab and on "Create a new Network Client".
    Enter the information requested. For the IP Address, use the IP address of the Freeradius server. Select Radius and the domain you just created. Click "Add" when you're finished.
    On the next page, enter the shared secret you entered in the /etc/raddb/proxy.conf file of the Freeradius server. Do not have to enter any information under "Return Attributes".
    Important: From the WiKID terminal or via SSH, you will need to run "wikidctl stop" and then "wikidcl start" to load the new configuration into the WiKID Radius server. (WiKID 2.0 users just run "stop" and "start".)
    Testing Freeradius with one-time passwords
    Download and install a WiKID Token client. You can manually validate yourself as a user from the WiKIDAdmin web interface. Once validated, select the Domain associated with the Freeradius resource:

    Enter the PIN:

    And you will get back the one-time passcode. The OTP is time-bounded, but the time can be set on the WiKID server to whatever you want:

    Now, ssh to your Freeradius box:
    ssh [email protected]_server
    When prompted, enter the WiKID one-time password - it should have automatically been pasted to your clip-board so ctrl-c or shift-ins should work. You should be granted access. If not, there a number of logs to consult. First, check /var/log/secure on your Freeradius server to see why the user was rejected. If you see "All RADIUS servers failed to respond." make sure that radiusd is running on port 1812. Check Freeradius's logs at /var/log/radius/radius.log and the WiKID radius log at /opt/WiKID/log/radius.log on the WiKID server.

Share This Page