How to configure sudo for two-factor authentication using pam-radius on Ubuntu and CentOS
Attackers frequently use lost, stolen, weak or default credentials to escalate their privileges after they have infiltrated your network. While two-factor authentication can greatly reduce infiltration, there are other means of gaining entry such as malware. This tutorial shows how to add radius to sudo for Centos 7 and Ubuntu 14.04 for two-factor authentication with the WiKID Strong Authentication server. Using pam-radius is nice because it allows you to insert a radius server, such as Freeradius or NPS on Windows, so you can perform authorization in your directory and then authentication against a separate two-factor auth server. Managing your users in a central directory is a very good security practice. Note that since we are using RADIUS, this basic setup works for all enterprise-class 2FA systems.
Configure sudo on Centos/RHEL for two-factor authentication
We will start on RHEL/Centos 7. Install the pre-requisites:
sudo yum -y install make gcc pam pam-devel
Get the latest PAM RADIUS code (1.4 as of this writing):
wget ftp://ftp.freeradius.org/pub/radius/pam_radius-x.x.x.tar.gz
Build the library:
tar -xzvf pam-radius-x.x.x.tar.gz
cd pam-radius-x.x.x
sudo ./configure
sudo make
Copy the library to the proper location:
cp pam_radius_auth.so /lib/security/
Or for 64bit:
cp pam_radius_auth.so /lib64/security/
Create the configuration directory and copy the configuration file under the name 'server':
sudo mkdir /etc/raddb
cp pam_radius_auth.conf /etc/raddb/server
Edit /etc/raddb/server and add your radius server IP and the shared secret to this file.
# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
radius_server_IP secret 3
#
# having localhost in your radius configuration is a Good Thing.
(Note that while we want the radius in the loop eventually, you can also user your WiKID server as the radius server, add this Centos box as a network client on WiKID, restart WiKID and be done or at least you can test this way. It's always a good idea to do some small tests along the way, just be sure to remove them.)
Next, we need to tell sudo to use radius. Edit the file /etc/pam.d/sudo and replace "auth include system-auth" with:
auth required pam_radius_auth.so
That's it for the Centos/RHEL 7 box. The same setup work for 5 and 6 too.
Configure sudo on Ubuntu for two-factor authentication
Next up is the Ubuntu 14.04 server. First, install pam-radius:
sudo apt-get install libpam-radius-auth
Configure it with the NPS server as well by editing /etc/pam_radius_auth.conf. So that it is the same as above:
# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
radius_server_IP secret 3
#
# having localhost in your radius configuration is a Good Thing.
Edit your /etc/pam.d/sudo file and add the line ' auth sufficient pam_radius_auth.so' above the comm-auth line:
auth required pam_env.so readenv=1 user_readenv=0
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
auth sufficient pam_radius_auth.so
@include common-auth
@include common-account
@include common-session-noninteractive
That's is for the Ubuntu server.
Now, anytime an admin attempts to use sudo, they must enter their one-time passcode. PAM will forward the username and OTP to your radius server or your WiKID server for validation.
Using two-factor authentication for administrative accounts is a powerful tool for securing your network. It may even become part of the PCI DSS requirements.