Diff for "DMZ host with SecurePass"

Differences between revisions 2 and 3
Revision 2 as of 2012-02-07 18:11:38
Size: 2291
Editor: corsico
Comment:
Revision 3 as of 2012-02-08 10:58:41
Size: 2438
Editor: 78-105-201-166
Comment: Added a ToC even tho the page is still fairly small at the moment. It looks like the page will grow quite a bit
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
||<tablestyle="float:right; font-size: 0.9em; width:40%; background:#F1F1ED; margin: 0 0 1em 1em;" style="padding:0.5em;"><<TableOfContents>>||

This article is about on how to secure a public or DMZ machine or stronger SFTP/SSH server by using One Time Passwords provided by the SecurePass security service.

One Time Passwords are a great solution to have a strong authentication solution that can easily be adopted by everyone and supported on every device.

This article has been originally written by Luca Perencin.

Prerequisites

The only pre-requisite is having an Ubuntu server up and running and at least one static IP address.

SecurePass

If you don’t own already an account with SecurePass, you can sign-up for a new account here: http://www.secure-pass.net/open

Note: Use “misec2011” as promo code, it will give you an entitlement for using SecurePass up to 10 users for 2 years free-of-charge.

Connect to the admin interface on https://admin.secure-pass.net and create a new device.

As showed in picture, we only need to set the public IP Address of the server, a fully qualified domain name (FQDN), and the secret password for the radius authentication.After completion we get a small recap of the already created device.

Install and Configure RADIUS

Install the radius library with the following command: 

apt-get install libpam-radius-auth

At this point, we can log in to the server to configure the radius authentication. pick your favourite editor to open /etc/pam_radius_auth.conf and add, at the end of the file the following lines 

radius1.secure-pass.net secret 3
radius2.secure-pass.net secret 3

Of course the “secret” is the same we have set up on the secure-pass site beyond this point we need to configure the PAM to correct manage the authentication.

Pick up again an editor and open /etc/pam.d/common-auth

we have to setup two simple lines: 

auth<-->sufficient<---->pam_radius_auth.so.
auth<-->[success=1 default=ignore]<---->pam_unix.so nullok_secure try_first_pass

Create a local user

Create the local user(s) that match(es) with the user in SecurePass, for example if you have jsmith@foo.bar in SecurePass, you will have to create a local jsmith

Further information

* http://www.nolabs.it/2011/12/02/eng-how-to-setup-an-easy-otp-access-on-ubuntu-with-secure-pass/

DMZ host with SecurePass (last edited 2012-02-08 13:37:57 by corsico)