TwoFactor Authentication Service
Purpose
The Two Factor Authentication service is a secure authentication service intended for computing support staff in CSCF/MFCF to gain privileged access to the services that they maintain. Examples include gaining root access on Linux/Unix/OS X hosts, Domain Administrator login in a Windows AD forest, privileged access to a web-based application, and read/write access to a network device such as a switch/router or firewall. The service is designed to be used by other groups on campus as well, if the desire is there.
See
TwoFactorArchitecture to learn about the achitecture of the service. See
TwoFactorAuthenticationDirections for background information. There is also documentation on
maintaining the service (access is restricted).
Using the Service
*
TwoFactorGettingStarted - What to do when you are issued a token
Configuring your System(s)/Device(s) for TwoFactor Authentication
HP Switch
The instructions below explain how to configure an HP switch to use the TwoFactor authentication service for login via the console,
SSH, and telnet while allowing local accounts if the RADIUS servers are unreachable. Note that in this case, the RADIUS server does both the authentication and authorization. You'll need to provide
twofactor-admin@cscf.cs with the userid of those admins you want to grant either read-only or administrative access.
- Contact twofactor-admin@cscf.cs to obtain a RADIUS shared secret, if you don't already have one.
- Login to the switch as the local administrative user (please don't use telnet)
- Make sure you are in the
config
context.
- Run the following commands:
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication login privilege-mode
radius-server key [shared-secret]
radius-server host 129.97.15.150 auth-port 11812 acct-port 11813
radius-server host 129.97.15.151 auth-port 11812 acct-port 11813
write mem
Windows (Active Directory Forest)
This solution requires a seperate domain within an AD forest, so to reduce the proliferation of hardware for domain controllers, you are advised to try out the virtualization offered by VMware or Xen.
- Build a new domain in the forest and have all other domains trust the new domain
- Install the DC agent on all domain controllers of the new domain
- Install the desktop client on a terminal server that is member of the domain
- Tell twofactor-admin@cscf.cs the IP address of each domain controller
- In the new domain, create only users that will have tokens.
- Give the users of the new domain the appropriate rights to objects in other domain(s) of the forest (creating a universal group in the forest root might be handy).
Solaris 8 (xhiered)
- Ask twofactor-admin@cscf.cs to give you a RADIUS shared secret for your machine(s)
- Install the following xhier packages in the order indicated:
- cu-sudo-1.6.8p12
- pam-radius-1.3
- pam-config
- Add the shared secret to the pam-radius configuration
- Configure the pam-config package to manage the system's PAM configuration
- Set
manage_pam_configuration=yes
in the appropriate options file
- Add the following line to the appropriate
pam.conf-$xh-arch
file
sudo auth required /software/pam-radius/lib/pam_radius_auth.so
- Add the appropriate users to the sudoers file
Mac OS X
- Run
visudo
to set the appropriate authorizations.
- From a local AFP share, get the
sudo-radius
installer package and install it on your computer(s)
- Ask twofactor-admin@cscf.cs to give you a RADIUS shared secret for your computer(s)
- Add the RADIUS shared secret to /etc/pam_radius_auth.conf
Linux (Ubuntu)
- Use
visudo
to set the appropriate authorizations.
- Make sure your
sources.list
gets packages from universe
- Run
apt-get install libpam-radius-auth
- Ask twofactor-admin@cscf.cs to give you a RADIUS shared secret for your computer(s)
- Add
129.97.15.150
and 129.97.15.151
, with the secret, to /etc/pam_radius_auth.conf
- Depending on how you want to sudo to authenticate users, replace the contents of
/etc/pam.d/sudo
with something like the following:
auth sufficient pam_unix.so nullok_secure
auth required pam_radius_auth.so
account required pam_permit.so
For application servers run by CSCF where interactive login is restricted to CSCF staff, check-out
TwoFactorWithLDAP.
--
JasonTestart - 17 Aug 2006