(r8) TwoFactor < CF

CF Web>TwoFactor (revision 8) (raw view)~~EditAttach~~
---+ !TwoFactor Authentication Service

---++ Purpose

The Two Factor Authentication service is a secure authentication service intended for computing support staff in CSCF/MFCF to gain privileged access to the services that they maintain.  Examples include gaining root access on Linux/Unix/OS X hosts, Domain Administrator login in a Windows AD forest, privileged access to a web-based application, and read/write access to a network device such as a switch/router or firewall.  The service is designed to be used by other groups on campus as well, if the desire is there.

See CF.TwoFactorArchitecture to learn about the achitecture of the service.  See CF.TwoFactorAuthenticationDirections for background information.  There is also documentation on [[CFPrivate.TwoFactorAdministration][maintaining the service]] (access is restricted).

---++ Using the Service

    * TwoFactorGettingStarted - What to do when you are issued a token

---++ Configuring your System(s)/Device(s) for !TwoFactor Authentication

---+++ HP Switch

The instructions below explain how to configure an HP switch to use the !TwoFactor authentication service for login via the console, SSH, and telnet while allowing local accounts if the RADIUS servers are unreachable.  Note that in this case, the RADIUS server does both the authentication and authorization.  You'll need to provide twofactor-admin@cscf.cs with the userid of those admins you want to grant either read-only or administrative access.

   * Contact twofactor-admin@cscf.cs to obtain a RADIUS shared secret, if you don't already have one.
   * Login to the switch as the local administrative user (please don't use telnet)
   * Make sure you are in the =config= context.
   * Run the following commands:

<pre>
aaa authentication telnet login radius local
aaa authentication telnet enable radius local
aaa authentication ssh login radius local
aaa authentication ssh enable radius local
aaa authentication console login radius local
aaa authentication console enable radius local
aaa authentication login privilege-mode
radius-server key [shared-secret]
radius-server host 129.97.15.150 auth-port 11812 acct-port 11813
radius-server host 129.97.15.151 auth-port 11812 acct-port 11813
write mem
</pre>

---+++ Windows (Active Directory Forest)

This solution requires a seperate domain within an AD forest, so to reduce the proliferation of hardware for domain controllers, you are advised to try out the virtualization offered by !VMware or Xen.

   * Build a new domain in the forest and have all other domains trust the new domain
   * Install the DC agent on all domain controllers of the new domain
   * Install the desktop client on a terminal server that is member of the domain
   * Tell twofactor-admin@cscf.cs the IP address of each domain controller
   * In the new domain, create only users that will have tokens.
   * Give the users of the new domain the appropriate rights to objects in other domain(s) of the forest (creating a universal group in the forest root might be handy).

---+++ Solaris 8 (xhiered)

   * Ask twofactor-admin@cscf.cs to give you a RADIUS shared secret for your machine(s)
   * Install the following xhier packages in the order indicated:
      * cu-sudo-1.6.8p12
      * pam-radius-1.3
      * pam-config
   * Add the shared secret to the pam-radius configuration
   * Configure the pam-config package to manage the system's PAM configuration
      * Set =manage_pam_configuration=yes= in the appropriate options file
      * Add the following line to the appropriate =pam.conf-$xh-arch= file
<pre>
sudo    auth required         /software/pam-radius/lib/pam_radius_auth.so
</pre>

   * Add the appropriate users to the sudoers file

---+++ Mac OS X

   * Run =visudo= to set the appropriate authorizations.
   * From a local AFP share, get the =sudo-radius= installer package and install it on your computer(s)
   * Ask twofactor-admin@cscf.cs to give you a RADIUS shared secret for your computer(s)
   * Add the RADIUS shared secret to /etc/pam_radius_auth.conf

---+++ Linux (Ubuntu)

   * Use =visudo= to set the appropriate authorizations.
   * Make sure your =sources.list= gets packages from =universe=
   * Run =apt-get install libpam-radius-auth=
   * Ask twofactor-admin@cscf.cs to give you a RADIUS shared secret for your computer(s)
   * Add =129.97.15.150= and =129.97.15.151=, with the secret, to =/etc/pam_radius_auth.conf=
   * Depending on how you want to sudo to authenticate users, replace the contents of =/etc/pam.d/sudo= with something like the following:
<pre>
     auth     sufficient     pam_unix.so nullok_secure
     auth     required       pam_radius_auth.so
     account  required       pam_permit.so 
</pre>

-- Main.JasonTestart - 17 Aug 2006
Topic revision: r8 - 2007-09-27 - JasonTestart
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
Other Webs
My links
- People
- CERAS
- WatForm
- Tetherless lab
- Ubuntu Main.HowTo
- eDocs
- RGG NE notes
- RGG
- CS infrastructure
- Grad images
Edit