OTP Client Setup
From MyWiki
Contents |
Intro
This page documents how I set up OTP authentication on one of my servers. I did not use the NCSA version of the client software for the following reasons:
- I did not need the NCSA-added functionality for my server.
- The NCSA version of the code is a fork of the open source code I use here, except that updates and fixes have since been applied to the open source code. Those updates have not been merged into the NCSA version.
Prerequisites
- Email help@ncsa.uiuc.edu and request that your client machine be added to the otp servers. You will receive an associated shared key for your machine. Save it somewhere. You'll need it when you configure your machine.
- Install/verify software package prerequisites
# yum install make gcc pam-devel
Procedure
- Download the most current version of the code from http://freeradius.org/pam_radius_auth/
- Unzip, build, and copy the pam module pam_radius_auth.so
# tar -zxvf pam_radius-1.3.17.tar.gz # cd pam_radius-1.3.17 # make <-- couple of compiler warnings - ignore them # cp pam_radius_auth.so /lib64/security/ <-- "lib64" in the case of a 64-bit machine, "lib" otherwise
- Create and populate /etc/raddb/server
# mkdir /etc/raddb # chmod 700 /etc/raddb # cp <from tarball>/pam_radius_auth.conf /etc/raddb/server # cd /etc/raddb # chown root:root server # chmod 600 server
Add the following two lines to the bottom of /etc/raddb/server:
otp1.ncsa.uiuc.edu <shared key here> otp2.ncsa.uiuc.edu <same shared key here>
- Edit /etc/ssh/sshd_config and restart.
PermitRootLogin no PasswordAuthentication yes ChallengeResponseAuthentication yes UsePAM yes
- Restart SSHD
# service sshd restart
- Edit /etc/pam.d/sudo, replacing or inserting the auth line as appropriate:
auth requisite pam_radius_auth.so
- Prevent regular users from using the su command by editing /etc/pam.d/su and replacing the auth lines as follows:
auth sufficient pam_rootok.so auth required pam_deny.so
- Use visudo to edit /etc/sudoers and add the following line:
Defaults passprompt = "[sudo] OTP password for %u (case-sensitive):"
- Reboot
Debugging
- Edit /etc/pam.d/sudo, adding "debug" to the auth line as follows:
auth requisite pam_radius_auth.so debug
- Edit /etc/rsyslog.conf, adding the following line
*.debug /var/log/debug
- Restart the syslog service
# service rsyslog restart
- Messages will be written to file /etc/logs/debug. What you would like to see is:
Dec 22 17:40:48 shark sudo: pam_radius_auth: Got user name mfreemon Dec 22 17:40:58 shark sudo: pam_radius_auth: Sending RADIUS request code 1 Dec 22 17:40:58 shark sudo: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 17904480. Dec 22 17:40:58 shark sudo: pam_radius_auth: Got RADIUS response code 2 Dec 22 17:40:58 shark sudo: pam_radius_auth: authentication succeeded
OTP for Regular Logins
For machines that require OTP for regular login (such as VM hosts), follow the above instructions, with the following changes:
- Break authconfig's automatic update of /etc/pam.d/system-auth by undoing the symbolic link from system-auth-ac to system-auth (these directions work with Red Hat derived distros; others may differ).
# cd /etc/pam.d # rm system-auth # cp system-auth-ac system-auth
- Make the same changes to /etc/pam.d/system-auth that are specified above for /etc/pam.d/sudo -- that is, replace the auth directive with "auth requisite pam_radius_auth.so" (same as directions above for /etc/pam.d/sudo). You may have to comment out auth required pam_deny.so. On a typical Red Hat-derived distro, the auth section of /etc/pam.d/system-auth may look like this afterwards:
auth required pam_env.so auth requisite pam_radius_auth.so #auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet #auth sufficient pam_krb5.so use_first_pass #auth required pam_deny.so
- You may choose to change /etc/sudoers to not require a password for sudo, since OTP is already required for login.
- Modify /etc/ssh/sshd_config to disallow key-based authentication:
PubkeyAuthentication no
- Restart sshd.
