This article is about on how to secure a public or DMZ machine or stronger SFTP/SSH server by using One Time Passwords provided by the SecurePass security service.
One Time Passwords are a great solution to have a strong authentication solution that can easily be adopted by everyone and supported on every device.
This article has been originally written by Luca Perencin.
Prerequisites
The only pre-requisite is having an Ubuntu server up and running and at least one static IP address.
SignUp and configure SecurePass
If you don’t own already an account with SecurePass, you can sign-up for a new account here: http://www.secure-pass.net/open
Note: Use “misec2011” as promo code, it will give you an entitlement for using SecurePass up to 10 users for 2 years free-of-charge. Without any promo code, you will have 5 users for 20 years for free. It depends on what you need (more users or more years).
Connect to the admin interface on https://admin.secure-pass.net and create a new device.
In the admin interface, go to the "Device" section and add a new device. You will need to set the public IP Address of the server, a fully qualified domain name (FQDN), and the secret password for the radius authentication.
Install and Configure RADIUS
Install the radius library with the following command:
apt-get install libpam-radius-auth
At this point, we can log in to the server to configure the radius authentication. Pick your favorite editor to open /etc/pam_radius_auth.conf and add, at the end of the file the following lines
radius1.secure-pass.net secret 3 radius2.secure-pass.net secret 3
Of course the “secret” is the same we have set up on the SecurePass device section. Beyond this point we need to configure the PAM to correct manage the authentication.
Pick up an editor, open the pam configuration file /etc/pam.d/common-auth and change the authentication part accordingly to insert radius.
auth sufficient pam_radius_auth.so auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
Create a local user
RADIUS provides authentication only. You will still need to provide unix information about a given user. This will help you also enforcing who will be able to access the DMZ machine.
The easiest is to create the local user(s) that match(es) with the user in SecurePass, for example if you have jsmith@foo.bar in SecurePass, you will have to create a local jsmith
If you have several machines in DMZ, consider using a network service such as LDAP or NIS to store uid/gid information, or use Puppet.
Services known to work
Any pam-related in general, but has been tested:
- SSH/SFTP
- ProFTPD
- OpenVPN
It also works for web authentication (Apache PAM, PHP pam, ...) but consider using SecurePass CAS interface.