[HowTo] configure sudo for two-factor authentication using pam-radius on Ubuntu and CentOS
[HowTo] configure sudo for two-factor authentication using pam-radius on Ubuntu and CentOS
Configure sudo on Centos/RHEL for two-factor authentication
We will start on RHEL/Centos 7. Install the pre-requisites:
Get the latest PAM RADIUS code (1.4 as of this writing):
Build the library:
Copy the library to the proper location:
Or for 64bit:
Create the configuration directory and copy the configuration file under the name 'server':
Edit /etc/raddb/server and add your radius server IP and the shared secret to this file.
(Note that while we want the radius in the loop eventually, you can also user your WiKID server as the radius server, add this Centos box as a network client on WiKID, restart WiKID and be done or at least you can test this way. It's always a good idea to do some small tests along the way, just be sure to remove them.)
Next, we need to tell sudo to use radius. Edit the file /etc/pam.d/sudo and replace "auth include system-auth" with:
That's it for the Centos/RHEL 7 box. The same setup work for 5 and 6 too.
Configure sudo on Ubuntu for two-factor authentication
Next up is the Ubuntu 14.04 server. First, install pam-radius:
Configure it with the NPS server as well by editing /etc/pam_radius_auth.conf. So that it is the same as above:
Edit your /etc/pam.d/sudo file and add the line ' auth sufficient pam_radius_auth.so' above the comm-auth line:
That's is for the Ubuntu server.
Now, anytime an admin attempts to use sudo, they must enter their one-time passcode. PAM will forward the username and OTP to your radius server or your WiKID server for validation.
Using two-factor authentication for administrative accounts is a powerful tool for securing your network. It may even become part of the PCI DSS requirements.
We will start on RHEL/Centos 7. Install the pre-requisites:
Code: Select all
sudo yum -y install make gcc pam pam-devel
Code: Select all
wget ftp://ftp.freeradius.org/pub/radius/pam_radius-x.x.x.tar.gz
Code: Select all
tar -xzvf pam-radius-x.x.x.tar.gz
cd pam-radius-x.x.x
sudo ./configure
sudo make
Code: Select all
cp pam_radius_auth.so /lib/security/
Code: Select all
cp pam_radius_auth.so /lib64/security/
Code: Select all
sudo mkdir /etc/raddb
cp pam_radius_auth.conf /etc/raddb/server
Code: Select all
# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
radius_server_IP secret 3
#
# having localhost in your radius configuration is a Good Thing.
Next, we need to tell sudo to use radius. Edit the file /etc/pam.d/sudo and replace "auth include system-auth" with:
Code: Select all
auth required pam_radius_auth.so
Configure sudo on Ubuntu for two-factor authentication
Next up is the Ubuntu 14.04 server. First, install pam-radius:
Code: Select all
sudo apt-get install libpam-radius-auth
Code: Select all
# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
radius_server_IP secret 3
#
# having localhost in your radius configuration is a Good Thing.
Code: Select all
auth required pam_env.so readenv=1 user_readenv=0
auth required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
auth sufficient pam_radius_auth.so
@include common-auth
@include common-account
@include common-session-noninteractive
Now, anytime an admin attempts to use sudo, they must enter their one-time passcode. PAM will forward the username and OTP to your radius server or your WiKID server for validation.
Using two-factor authentication for administrative accounts is a powerful tool for securing your network. It may even become part of the PCI DSS requirements.