Securing SSH On Ubuntu Precise With WiKID Two-Factor Authentication
SSH offers a highly secure channel for remote administration of servers. However, if you face an audit for regulatory or business requirements, such as Visa/Mastercard PCI, you need to be aware of some potential authentication related short-comings that may cause headaches in an audit. For example:
- There is no way to control which users have public key authorization
- There is no way to enforce passphrase complexity (or even be sure that one is being used)
- There is no way to expire a public key
Additionally, SSH keys work great, but not for other services. We recently showed you how to add two-factor authentication to Apache . Using Radius for SSH means that we are getting closer to using a single, standard authentication protocol for your organization. As we will see in future tutorials, this standardization makes identity management much easier and more secure.
In this document we are going to demonstrate how to combine two-factor authentication from WiKID with PAM for SSH on Ubuntu. The WiKID Strong Authentication System is a commercial/open source two-factor authentication solution. First, we will configure a domain on the WiKID server, then add the targeted server as a network client to the WiKID server, and finally configure the Ubuntu Precise box via pam-radius. This document will also serve as the basis for additional tutorials because many services on Linux use PAM for authentication.
The WiKID Strong Authentication server is available for Ubuntu. Please see the installation instructions for the .deb package and the complete installation manual. We assume your server is up and running and you are ready to implement two-factor authentication in your environment.
Adding A Domain To The WiKID Server
Create A Network Client
After saving the domain information, click on the Network Client tab and Create New Network Client. Enter a name for this client and the IP Address of the SSH gateway on the internal network. Select Radius as the protocol and the domain you created above as the domain.
Click Add to get the next page and enter the shared secret for Radius.
You will need to repeat this process for each server on your network.
Configure SSH On Your Ubuntu Box
Now we will configure SSH on the target machine. Each flavor of linux handles PAM slightly differently. This tutorial covers how to install pam-radius for two-factor authentication on Ubuntu. For instructions on how to install pam-radius on Redhat flavors, see this page.
First, install the package:
$ sudo apt-get install libpam-radius-auth
That was pretty painless. Now let's configure it. First, let's tell pam_radius which radius server to talk to:
$ sudo vim /etc/pam_radius_auth.conf
Note that the file says to copy it to /etc/raddb/server, but DO NOT do that.
Edit the line "other-server; other-secret 3"; replacing 'other-server' with IP address or hostname of your WiKID Strong Authentication server (or radius server if you have one set up in between WiKID and your servers) and change 'other-secret' the shared secret for this network client.
Now that the package is setup and pointing to your WiKID server, let's configure a service to use it.
Edit your /etc/pam.d/sshd file
$ sudo vim /etc/pam.d/sshd
And add the line:
auth sufficient pam_radius_auth.so
# Standard Un*x authentication. @include common-auth
Now, you are ready to test. I recommend you run 'tail -f /var/log/auth.log' while you test.
Note that we have not made any changes to the account setup, so the user is expected to have a local account on the machine or you can configure account to use pam_ldap and point it to your AD/LDAP server.
Remote SSH is now extremely secure. No user can get access to the server without first getting a one-time passcode from the WiKID server. The two-factors of authentication are possession of the WiKID token (and it's cryptographic key embedded in the token) and knowledge of the PIN. Because the PIN is validated on the WiKID server, it is very easy to disable a user. Everything is logged and any auditor should be very pleased.
Additionally, you could require a WiKID one-time passcode for root access on internal machines. Just create create a new domain for su and edit /etc/pam.d/su appropriately. This will also allow you to break the servers into different groups for management. Just create For example, if you have a set of servers for HR to which only certain admins have root access, they can be configured for a specific WiKID domain - allowing fine grained access control and strong authentication. Get more information on two-factor authentication from WiKID website.