Secure SSH Using WiKID Two-Factor Authentication And TACACS+
These instructions are designed to help you configure and test using the WiKID TACACS+ protocol module via Linux PAM on Red Hat. This document has been updated to cover pam .99 and higher. We assume that you have already installed the open-source WiKID Strong Authentication Server Community Edition.
TACACS+ is a Cisco protocol used to authentication users to networking equipment. WiKID is a dual-source two-factor authentication system. PINs are encrypted on a software token and sent to the WiKID server. If the PIN is correct, the encryption valid and the account active, a one-time password is generated, encrypted and returned to the user's token where it is decrypted and presented for use with a network-based services.
First, edit your /etc/pam.d/sshd file to allow TACACS+ authentication:
auth include tacacs account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth
Next, install pam_tacplus:
You can download it here:
http://echelon.pl/pubs/pam_tacplus-1.2.9.tar.gz
$ tar xvfz pam_tacplus-1.2.9.tar.gz
$ make
# make install
Finally, create /etc/pam.d/tacacs:
#%PAM-1.0 auth sufficient /lib/security/pam_tacplus.so debug server=10.100.0.102 secret=support_secret encrypt account sufficient /lib/security/pam_tacplus.so debug server=10.100.0.102 secret=support_secret encrypt service=shell protocol=ssh session sufficient /lib/security/pam_tacplus.so debug server=10.100.0.102 secret=support_secret encrypt service=shell protocol=ssh
That should be it. You can test the configuration by logging in with a WiKID software token.
Related Tutorials:
Astaro and two-factor authentication from WiKID
Squid with two-factor authentication from WiKID
Freeradius and two-factor authentication from WiKID
How to install the WiKID Strong Authentication Server Community Edition