Configure the SSH Gateway
Now we will configure the central SSH gateway. This linux box is the gateway/proxy to all the production servers in the farm. It should be locked down tight with no extraneous software or services running on it. It should have an external interface for in-bound connections and an internal interface for internal connections. First, we will configure the gateway box to use WiKID for strong authentication of SSH users.
Start by installing PAM Radius. The PAM Radius home page is here.
Download the tar file (as of this writing 1.3.17 was the latest).
Run:
$ make
Copy the resulting shared library to /lib/security.
$ sudo cp pam_radius_auth.so /lib/security/
Edit /etc/pam.d/sshd to allow Radius authentication.
$ sudo vi /etc/pam.d/sshd
N.B.: Distributions of linux have different pam.d file formats. Please check with your distribution for specific suggestions. These instructions work for Fedora/Redhat/Centos.
Go to the first line of the file, hit the Insert key or the i key and insert this line.
auth sufficient /lib/security/pam_radius_auth.so
The 'sufficient' tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. Use 'Required' to require strong authentication.
Write the file and quit. Hit the Esc key to exit insert mode and type ':wq'
Edit or create your /etc/raddb/server file. There is a sample here.
vi /etc/raddb/server
Below the line:
127.0.0.1 secret 1
Add this line, substituting your routableIPAddress:
routableIPaddress shared_secret 1
The routeableIPaddress is the IP address of your NPS server.
Edit your /etc/pam.d/sshd file thusly:
#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so
Add your WiKID server to the /etc/raddb/server file, using the internal IP Address of the WiKID server and the shared secret you entered in the Network Client creation page:
# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
xxx.xxx.xxx.xx wikidserver_secret 3
Let's add some security to SSH configuration here too. Open your /etc/ssh/sshd_config (not the nearby ssh_config file). Add these configuration options:
#Protocol 2,1
#Check that only protocol 2 is allowed:
Protocol 2
#Disallow root login:
PermitRootLogin no
#Disallow accounts without passwords:
PermitEmptyPasswords no
If you want to change the port you can. It won't stop an attacker, but it might cut down on log events caused by script kiddies. This gateway box is now set to use WiKID one-time passwords for SSH authentication. All users have to be registered with the WiKID server and no one can login as root. Before we leave this box, we'll do something that is a little bit different - we will have the users create their RSA private key on the gateway. Once each users is signed into the box with WiKID, have them create their keys:
class="command">ssh-keygen -t rsa
In my opinion, passphrases for these keys are redundant. They are here only to create a single sign on functionality into the server farm. Obviously, you must be careful to be sure that users do not have access to other keys.
Configure the target servers
Obviously, we configure these servers to only accept incoming SSH requests from the gateway. We do this by restricting access on port 22 to our internal addresses. Edit /etc/sysconfig/iptables and add or edit the line for SSH on port 22:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
Running the WiKID Software token
Start the WiKID token and select the Domain associated with the SSH Gateway. Then enter the PIN and you will get back the one-time passcode. The OTP is time-bounded, but the time can be set on the WiKID server to whatever you want.
The user simply enters the one-time passcode when prompted by SSH.
The token can also be run from the command line, which is quote convenient for SSH:
java -cp jWiKID-3.1.3.jar:jwcl.jar com.wikidsystems.jw.JWcl domainid
Were domainid is the 12 digit domain identifier.
Conclusion
Many organizations are facing increased compliance and regulation. Additionally, environments are becoming more and more heterogenous and the Internet is becoming more and more dangerous. At the same time, users need more access and want to telecommute more, which is good from a disaster recovery perspective.
While this tutorial has focused on adding two-factor authentication to SSH, an un-stated concept is that you have chosen Radius as a network authentication standard. And it's a good one. Most VPNs, remote desktop systems, web servers and other remote access services support Radius. Now when you want to add a new service with two-factor authentication, all you have to consider is "Does it support Radius?". If it does, then all you need to do is point it to your NPS server. The same holds true if you use Freeradius or some other Radius server.
For more information on WiKID's two-factor authentication system, please visit our website.