How to secure VNC remote access with two-factor authentication
VNC is the most popular remote access solution today. However, it was developed to provide remote access, not to provide secure remote access. Administrators have to add security to VNC by tunneling it through an encrpyted channel such as SSH and adding a layer of authentication. In this article, we will show you how to combine the NoMachine NX server to encrypt VNC and remote X session combined with two-factor authentication from WiKID Systems to create a secure, fast remote access solution.
NoMachine and WiKID
NoMachine is a Terminal Server and Remote Access solution optimized for speed and security. All connections are piped through SSH. NoMachine is far faster than just piping VNC through SSH thanks to their compression algorithms. Plus, they offer RDP and Remote X sessions and clients for Windows, Mac & Linux.
WiKID is a dual-source two-factor authentication system optimized for security and ease-of-use. WiKID uses public-key cryptography instead of shared secrets like most hardware-based solutions. WiKID relies on validation of a user-selected PIN at the server - making it stronger and much more manageable than certificates. In this configuration, WiKID will handle user authentication and NoMachine will handle tunnel encryption and compression. For VNC, I am using RealVNC's Personal Edition. I did nothing to configure it, except add a password for authentication so details are not included. Both the WiKID server and your SSH/NoMachine server should be in the DMZ, with one card accepting connections from the Internet for client connections and the other configured for LAN access to exchange authentication requests and VNC connections respectively.
Configuring the WiKID Server
Here's how it will work: to access to a remote desktop, start the NX client and enter a WiKID one-time passcode and username. The user generates the one-time passcode on their WiKID token and enters it into the password prompt. SSH will route the username and one-time password to the WiKID server via pam radius. If the username and one-time password match what WiKID expects, the server will tell SSH to grant access. The NX client will then send the VNC password to the target VNC box.
First, we add the SSH/NoMachine box to the WiKID Strong Authentication Server as a network client, then configure PAM radius on the SSH/NoMachine server. I assume that you have already configured the WiKID server. More information on how to install and confgure WiKID can be found here.
Start by creating a domain for remote access users:
- Log into WiKID server web interface (http://yourwikidserver/WiKIDAdim).
- Click on the Domains Tab
- Click on Create a New Domain
- Fill in the form for a new domain. Leave "Registered URL:" blank that is just for SSL-based mutual authentication. Also do not check "Use TACACS+" and "Password Reset Domain:". Passcode lifetime should be set long enough for the user to be able to log in. The default is 60 seconds, but you can increase it. The default PIN length is 6 digits, but you can set it for 4 if you prefer. "Device Domain Name" is what the user sees on the token client.
- Click the "Create" Button
Now add a new Radius network client to the WiKID server that points to your SSH/NoMachine server:
- Select Network Clients tab.
- Click on Create New Network Client
- Fill in the requested information.
- For the IP Address, use the SSH/NoMachine server IP address
- For Protocol, select Radius
- Hit the Add button, and on the next page, enter a shared secret
- Do not enter anything into the Return Attribute box
- From the terminal or via ssh, run 'stop' and then 'start' to load the network client into the built-in WiKID radius server
That is it for the WiKID server. You can add users manually as the administrator or set up scripts in a secure location (your LAN, e.g.) to allow users to add their own tokens.
Configuring NoMachine and SSH.
For this example, we're using the NX Server Free Edition, which is very simple to configure - in fact it works out of the box. It is limited to 2 concurrent users, so companies will want to look to their Enterprise editions. Download the Server, NX node and client from their download site and install:
rpm -ivh nx*
Now, we configure SSH to use Radius:
First, you need to install PAM Radius. There is excellent documentation on this at the PAM Radius home page. Depending on your distribution, you might also be able to find a suitable binary.
Edit /etc/pam.d/sshd to allow Radius authentication:vi /etc/pam.d/sshd
Go to the second line of the file, hit the Insert key or the i key and insert this line:
auth required /lib/security/pam_radius_auth.so
just above this line:
auth required pam_stack.so service=system-auth
The "Required" tag require two-factor authentication. Because we are only editing the sshd file, it will not affect terminal log-ins.
Write the file and quit. Hit the Esc key to exit insert mode and type :wq
Edit or create your /etc/raddb/server file:
vi /etc/raddb/server
Below the line:
127.0.0.1 secret 1
Add this line, substituting the IP Address of the WiKID server:
routableIPaddress shared_secret 1