TwoFactor Authentication Service

Purpose

The Two Factor Authentication service is a secure authentication service intended for computing support staff in CSCF/MFCF to gain privileged access to the services that they maintain. Examples include gaining root access on Linux/Unix/OS X hosts, Domain Administrator login in a Windows AD forest, privileged access to a web-based application, and read/write access to a network device such as a switch/router or firewall. The service is designed to be used by other groups on campus as well, if the desire is there.

See TwoFactorArchitecture to learn about the achitecture of the service. See TwoFactorAuthenticationDirections for background information. There is also documentation on maintaining the service (access is restricted).

Using the Service

* TwoFactorGettingStarted - What to do when you are issued a token

Configuring your System(s)/Device(s) for TwoFactor Authentication

HP Switch

The instructions below explain how to configure an HP switch to use the TwoFactor authentication service for login via the console, SSH, and telnet while allowing local accounts if the RADIUS servers are unreachable. Note that in this case, the RADIUS server does both the authentication and authorization. You'll need to provide twofactor-admin@cscf.cs with the userid of those admins you want to grant either read-only or administrative access.

  • Contact twofactor-admin@cscf.cs to obtain a RADIUS shared secret, if you don't already have one.
  • Login to the switch as the local administrative user (please don't use telnet)
  • Make sure you are in the config context.
  • Run the following commands:

aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication login privilege-mode
radius-server key [shared-secret]
radius-server host 129.97.15.150 auth-port 11812 acct-port 11813
radius-server host 129.97.15.151 auth-port 11812 acct-port 11813
write mem

Windows (Active Directory Forest)

This solution requires a seperate domain within an AD forest, so to reduce the proliferation of hardware for domain controllers, you are advised to try out the virtualization offered by VMware or Xen.

  • Build a new domain in the forest and have all other domains trust the new domain
  • Install the DC agent on all domain controllers of the new domain
  • Install the desktop client on a terminal server that is member of the domain
  • Tell twofactor-admin@cscf.cs the IP address of each domain controller
  • In the new domain, create only users that will have tokens.
  • Give the users of the new domain the appropriate rights to objects in other domain(s) of the forest (creating a universal group in the forest root might be handy).

Solaris 8 (xhiered)

  • Ask twofactor-admin@cscf.cs to give you a RADIUS shared secret for your machine(s)
  • Install the following xhier packages in the order indicated:
    • cu-sudo-1.6.8p12
    • pam-radius-1.3
    • pam-config
  • Add the shared secret to the pam-radius configuration
  • Configure the pam-config package to manage the system's PAM configuration
    • Set manage_pam_configuration=yes in the appropriate options file
    • Add the following line to the appropriate pam.conf-$xh-arch file
sudo    auth required         /software/pam-radius/lib/pam_radius_auth.so

  • Add the appropriate users to the sudoers file

Mac OS X

  • Run visudo to set the appropriate authorizations.
  • From a local AFP share, get the sudo-radius installer package and install it on your computer(s)
  • Ask twofactor-admin@cscf.cs to give you a RADIUS shared secret for your computer(s)
  • Add the RADIUS shared secret to /etc/pam_radius_auth.conf

Linux (Ubuntu)

  • Use visudo to set the appropriate authorizations.
  • Make sure your sources.list gets packages from universe
  • Run apt-get install libpam-radius-auth
  • Ask twofactor-admin@cscf.cs to give you a RADIUS shared secret for your computer(s)
  • Add 129.97.15.150 and 129.97.15.151, with the secret, to /etc/pam_radius_auth.conf
  • Depending on how you want to sudo to authenticate users, replace the contents of /etc/pam.d/sudo with something like the following:
     auth     sufficient     pam_unix.so nullok_secure
     auth     required       pam_radius_auth.so
     account  required       pam_permit.so 

For application servers run by CSCF where interactive login is restricted to CSCF staff, check-out TwoFactorWithLDAP.

-- JasonTestart - 17 Aug 2006

Topic revision: r9 - 2007-09-28 - JasonTestart
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback