1 - Yubico/yubico-pam

snottysurfsideΔιακομιστές

9 Δεκ 2013 (πριν από 4 χρόνια και 24 μέρες)

187 εμφανίσεις

Y
ubico

A
uthor


Page
1

12/9/2013

Created on

0
1
-
30
-
2009

Modified

0
1
-
30
-
2009

Version

V1.
1

Document Name

Yubico
PAM Module Configuration for RADIUS on Linux
Platform


File Name

Yubico_PAM_Module_Configuration_for_RADIUS_on_Linux_Platform_v1



C
o
nfidential

1
(
5
)

Yubico Configuration Document


1.

About this document


The
purpose of this document is to guide readers through the configuration steps

to
enable
two factor authentication
using YubiK
ey
and
RADIUS

server

on Linux
p
latform
. This document assu
mes that the reader has advance

knowledge and
exp
erience in Linux system administration, particularly how
to configure
PAM
authentication mechanism on a Linux platform.


Although this configuration guide focuses
on
configuration of radiusd demon for
centralized LDAP database for authentication
using
the
Active directory

(AD)
,
radiusd
can be configured easily to
use
centralized
LDAP database for authentication
provided by

any
popular directory service

by configuring appropriate PAM modules

in
radiusd pam configuration file.



2.

Prerequisites


Successful con
figuration of the Yubico PAM module to support two factor
authentication
for
RADIUS

requires following prerequisites
:


1)

Operating System:

Any Unix operating system which supports PAM (Pluggable



Authentication Module) (http://www.kernel.org/pub/li
nux/libs/pam/)

2)

Complier : GNU GCC complier (http://gcc.gnu.org/)

3)

Yubico PAM Module: Yubico PAM Module
(from branch “
RADIUS_on_Premise
”)

can be downloaded from following link:


Project Home:

http://code.g
oogle.com/p/yubico
-
pam

Code Base

(SVN)
:

http://yubico
-
pam.googlecode.com/svn/branches/RADIUS_on_Premise




4)

FreeRADIUS
:

FreeR
ADIUS

Version
:

1.1.7

or later
.
It

can be download
ed from

the

following link:


http://freeradius.org/download.html


5)

Active Directory
LDAP database




3.

Configuration


We assume that
freeRADIUS
is
already
installed
on the server.




Configuration of freeRADI
US server to support
PAM

authentication
:


Y
ubico

A
uthor


Page
2

12/9/2013

Created on

0
1
-
30
-
2009

Modified

0
1
-
30
-
2009

Version

V1.
1

Document Name

Yubico
PAM Module Configuration for RADIUS on Linux
Platform


File Name

Yubico_PAM_Module_Configuration_for_RADIUS_on_Linux_Platform_v1



C
o
nfidential

2
(
5
)

Yubico Configuration Document


a)

Edit the radiusd configuration file “/etc/raddb/radiusd.conf” to make
following changes:


1)

Change user and group to

root


to provide the root privileges to
radiusd demon so that it can call and use pam modules for
authentication
.
NOTE:

Generally, it is not a good security practice
to assign root privileges to a user for a demon. However, since use
of PAM requires root privileges, this is a mandatory step here.


2)

In “
authenticate
” section uncomment pam to direct radiu
sd demon
to use pam module for authentication


b)

Edit the client configuration file “
/etc/raddb/clients.conf

to add sample
client for testing



c)

Edit the user configuration file “
/etc/raddb/users
” to make following
change
:


1)

Change
"DEFAULT Auth
-
Type = System
" to "DEFAULT Auth
-
Type
= pam"

for using pam modules for user authentication




Installation of pam_yubico module:


Build instructions for pam_yubico
are available
in the README:


http://code.google.com/p/yubico
-
pam/source/browse/trunk/README







Configuration of selinux policy to create exception for radiusd demon:


Local
effective
selinux policy must be updated to provide sufficient privileges
to

radiusd demon on system resourc
es.
Please follow
the
steps
below
to
configure effective selinux policy for radiusd demon:


1)

Start the radiusd demon

2)

Test the
RADIUS
authentication with the test case provided in

Testing the configuration
” section below

3)

As radiusd
demon doesn’t

have suffic
ient selinux privileges to
access
the system resources required for using pam modules,
the
RADIUS
authentication will fail.

4)

This will create
the logs in either “
/var/log/messages
” or
in

/var/log/audit/audit.log


depending on the selinux configuration.

5)

We
can use
audit2allow
utility t
o provide selinux privileges to
radiusd by
using following sequence of commands:


#
audit2allow
-
m local
-
l
-
i /var/log/messages > local.te

#
checkmodule
-
M
-
m
-
o local.mod local.te

#
semodule_package
-
o local.pp
-
m local.mod

#

semodule
-
i local.pp


Y
ubico

A
uthor


Page
3

12/9/2013

Created on

0
1
-
30
-
2009

Modified

0
1
-
30
-
2009

Version

V1.
1

Document Name

Yubico
PAM Module Configuration for RADIUS on Linux
Platform


File Name

Yubico_PAM_Module_Configuration_for_RADIUS_on_Linux_Platform_v1



C
o
nfidential

3
(
5
)

Yubico Configuration Document


6)


For more selinux policy updating information and
explanation of
above commands please visit the following
website:


http://fedora.redhat.com/docs/selinux
-
faq
-
f
c5/#id2961385




Configuration of Active Directory
:


Download and install Windows Services for UNIX from the Microsoft site
.
This
will install the necessary LDAP attributes we need for getting this all to work, and
will give you a new tab “UNIX Attributes”
in AD User Settings
.




Preparing Groups

in AD
:


Now create your first security group

in the AD. (N
ote
the group name must not
include
special characters

or spaces).
Once
a
group has been created edit the
UNIX Attributes under properties and set it to the de
fault created NIS Domain,
you may leave the
same
Group ID or change as needed.




Preparing Users

in AD:


Once
the
security group has been setup (
w
e have set FreeRADIUS
Users

in
configuration example below
), you can add users

to the group
. Under user
propert
ies, you will see a tab “UNIX Attributes” that contain LDAP attributes.
Even though we won’t be using NIS, you have to set the NIS Domain to have
access to other options.




Setting up a
Linux

server for user authentication with AD


Please make sure that
t
he following packages are
already
installed on the
Linux
server:

1)

openldap

2)

openldap
-
devel

3)

pam_krb5

4)

ntp


In order to log in, we have to synchronize the Linux Server's time with the
Active
Directory
domain controller. Please use the following sequence of comm
ands to
synchronize the time
:



# /etc/rc.d/init.d/ntpd stop

# ntpdate
-
u <Active Directory Domain Controller IP Address/domain name>

# /etc/rc.d/init.d/ntpd start


We have to modify the following files to enable the FreeRADIUS server to
authenticate user
s

with Active Directory. For the
configuration
example, we are
using
rectangle.com

as our
AD
domain, and
ad
-
test
.
rectangle.com

as

our domain
controller
. We have created a user named Scott for binding the
Linux
server

with
the
AD
domain controller.


1)

/etc/k
rb5.conf

2)

/etc/ldap.conf

Y
ubico

A
uthor


Page
4

12/9/2013

Created on

0
1
-
30
-
2009

Modified

0
1
-
30
-
2009

Version

V1.
1

Document Name

Yubico
PAM Module Configuration for RADIUS on Linux
Platform


File Name

Yubico_PAM_Module_Configuration_for_RADIUS_on_Linux_Platform_v1



C
o
nfidential

4
(
5
)

Yubico Configuration Document


3)

/etc/nsswitch.conf


All the sample
configuration
files
are
provided along with this document.


4.

Test Setup


Our test environment

consists of following components
:


A)

Operating System:

Fedora release 8 (Werewolf)

B)

FreeRADIUS Server
:
Free
RADIUS Version 1.1.7

C)

Yubico PAM
:
pam_yubico

Version
1.8

D)

"/etc/pam.d/radiusd"

file:


auth


required pam_yubico.so id=1678 debug userauth

url= <url of Yubico
Validation server>

auth sufficient pam_krb5.so use_first_pass

auth suffic
ient pam_ldap.so use_first_pass

auth include system
-
auth


account [default=bad success=ok user_unknown=ignore] pam_ldap.so

account [default=bad success=ok user_unknown=ignore] pam_krb5.so

account required pam_nologin.so

acc
ount include system
-
auth


password sufficient pam_krb5.so use_authtok

password sufficient pam_ldap.so use_authtok

password include system
-
auth


The userauth will enable the
Yubico PAM module to check the user and YubiKey ID
m
apping in the Yubico Validation Server

specified in the URL
.


5.

Testing
the configuration


We have tested the
pam_yubico configuration on
following

Linux

sever platforms:


1)
Fedora 8
:


a) Operating system:
Fedora release 8 (Werewolf)

b)
FreeRADI
US Server :
FreeRADIUS Version 1.1.7

c) Yubico PAM:
modified
pam_yubico

module





To test the
RADIUS
two
factor authentication with YubiK
ey, we can use “radtest” radius
client
. The command is as follows:


#
radtest
<
user
name>

<
passwd

followed by

YubiK
ey
generated
OTP
>

<
radius
-
server
>:<radius server port>

<
nas
-
port
-
number
>

<
secret [ppphint] [nasname]
>

Y
ubico

A
uthor


Page
5

12/9/2013

Created on

0
1
-
30
-
2009

Modified

0
1
-
30
-
2009

Version

V1.
1

Document Name

Yubico
PAM Module Configuration for RADIUS on Linux
Platform


File Name

Yubico_PAM_Module_Configuration_for_RADIUS_on_Linux_Platform_v1



C
o
nfidential

5
(
5
)

Yubico Configuration Document



e.g.:


#
radtest test test123vrkvfefuitvflvgufcdlbjufkggukufkebeildbdkkjc 127.0.0.1 0 testing123