||<>|| This article is about on how to secure a public or DMZ machine or stronger SFTP/SSH server by using One Time Passwords provided by the [[http://www.secure-pass.net|SecurePass]] security service. One Time Passwords are a great solution to have a strong authentication solution that can easily be adopted by everyone and supported on every device. This article has been originally written by Luca Perencin. = Prerequisites = The only pre-requisite is having an Ubuntu server up and running and at least one static IP address. = SignUp and configure SecurePass = If you don’t own already an account with [[http://www.secure-pass.net|SecurePass]], you can sign-up for a new account here: http://www.secure-pass.net/open '''Note:''' Use “misec2011” as promo code, it will give you an entitlement for using [[http://www.secure-pass.net|SecurePass]] up to 10 users for 2 years free-of-charge. Without any promo code, you will have 5 users for 20 years for free. It depends on what you need (more users or more years). Connect to the admin interface on https://admin.secure-pass.net and create a new device. In the admin interface, go to the "Device" section and add a new device. You will need to set the public IP Address of the server, a fully qualified domain name (FQDN), and the secret password for the radius authentication. = Install and Configure RADIUS = Install the radius library with the following command: {{{ apt-get install libpam-radius-auth }}} At this point, we can log in to the server to configure the radius authentication. Pick your favorite editor to open ''/etc/pam_radius_auth.conf'' and add, at the end of the file the following lines {{{ radius1.secure-pass.net secret 3 radius2.secure-pass.net secret 3 }}} Of course the “secret” is the same we have set up on the [[http://www.secure-pass.net|SecurePass]] device section. Beyond this point we need to configure the PAM to correct manage the authentication. Pick up an editor, open the pam configuration file ''/etc/pam.d/common-auth'' and change the authentication part accordingly to insert radius. {{{ auth sufficient pam_radius_auth.so auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass }}} = Create a local user = RADIUS provides authentication only. You will still need to provide unix information about a given user. This will help you also enforcing who will be able to access the DMZ machine. The easiest is to create the local user(s) that match(es) with the user in [[http://www.secure-pass.net|SecurePass]], for example if you have ''jsmith@foo.bar'' in [[http://www.secure-pass.net|SecurePass]], you will have to create a local ''jsmith'' If you have several machines in DMZ, consider using a network service such as LDAP or NIS to store uid/gid information, or use Puppet. = Services known to work = Any pam-related in general, but has been tested: * SSH/SFTP * ProFTPD * OpenVPN It also works for web authentication (Apache PAM, PHP pam, ...) but consider using [[http://www.secure-pass.net/wiki/index.php/Help:CasProtocol|SecurePass CAS interface]]. = Further information = * [[http://www.nolabs.it/2011/12/02/eng-how-to-setup-an-easy-otp-access-on-ubuntu-with-secure-pass/|Howto setup an easy otp access on ubuntu with Secure Pass]]