Revision 3 as of 2012-02-08 10:58:41

Clear message

This article is about on how to secure a public or DMZ machine or stronger SFTP/SSH server by using One Time Passwords provided by the SecurePass security service.

One Time Passwords are a great solution to have a strong authentication solution that can easily be adopted by everyone and supported on every device.

This article has been originally written by Luca Perencin.

Prerequisites

The only pre-requisite is having an Ubuntu server up and running and at least one static IP address.

SecurePass

If you don’t own already an account with SecurePass, you can sign-up for a new account here: http://www.secure-pass.net/open

Note: Use “misec2011” as promo code, it will give you an entitlement for using SecurePass up to 10 users for 2 years free-of-charge.

Connect to the admin interface on https://admin.secure-pass.net and create a new device.

As showed in picture, we only need to set the public IP Address of the server, a fully qualified domain name (FQDN), and the secret password for the radius authentication.After completion we get a small recap of the already created device.

Install and Configure RADIUS

Install the radius library with the following command: 

apt-get install libpam-radius-auth

At this point, we can log in to the server to configure the radius authentication. pick your favourite editor to open /etc/pam_radius_auth.conf and add, at the end of the file the following lines 

radius1.secure-pass.net secret 3
radius2.secure-pass.net secret 3

Of course the “secret” is the same we have set up on the secure-pass site beyond this point we need to configure the PAM to correct manage the authentication.

Pick up again an editor and open /etc/pam.d/common-auth

we have to setup two simple lines: 

auth<-->sufficient<---->pam_radius_auth.so.
auth<-->[success=1 default=ignore]<---->pam_unix.so nullok_secure try_first_pass

Create a local user

Create the local user(s) that match(es) with the user in SecurePass, for example if you have jsmith@foo.bar in SecurePass, you will have to create a local jsmith

Further information

* http://www.nolabs.it/2011/12/02/eng-how-to-setup-an-easy-otp-access-on-ubuntu-with-secure-pass/