Posted on September 30, 2008 by mbrostrom

NSD1142 Using OTP Server for UNIX PAM and SSH Authentication

Fact

  • Nordic Edge One Time Password Server
  • UNIX PAM and SSH Authentication
  • LDAP or SQL User Store


Situation

Unix remote login by SSH is often overlooked as a security risk. The only methods available to secure logins are to use public key methods or limit access by IP address. 

Using public and private keys to protect SSH logins is not a very flexible solution, since any system you want to use needs to have a public and private key pair set up.

Limiting by IP address is even more restrictive in Internet applications.

A good solution to this problem is to use the Nordic Edge One Time Password Server to protect logins with a second factor providing strong and flexible authentication.

This NSD applies to UNIX servers capable of using PAM (Pluggable Authentication Modules) for authentication. Primarily authentication is intended for use with SSH daemons, but will work with any PAM enabled login method including graphical login services like XDM, KDM or GDM.

Solution

Prerequisites: A Nordic Edge One Time Password Server is already installed and available, and a UNIX server to protect should be available for configuration.

Root account access is required to configure the PAM service. 

There should be an LDAP Directory or SQL User Store configured with the users to be authenticated by the OTP Server, it is a good idea if this User Store Host is also providing naming services to the UNIX server to be protected.

If local files are used then make sure the users to be authenticated exist in the local passwd and shadow files, a User Store is still required for the OTP authentication.

Verify that your SSH server is configured to use PAM and that it will allow Challenge-Response authentication.

To enable PAM check that the parameters "UsePAM yes" and "ChallengeResponseAuthentication yes" are set. Some Linux distributions for example set the Challenge-Response method to "no" by default.

In most situations the configuration file will be called "sshd_config" and reside in the "/etc" or "/etc/sshdirectories.


Installation: Depending on your UNIX variant, you may need to install the PAM RADIUS module from http://freeradius.org/pam_radius_auth/ and follow the installation instructions for your platform.

These instructions are briefly repeated here for quick reference.

If you are using Linux, check with your distribution, it may well be that there is a prebuilt or prepackaged version available from your usual installation media.

Unpack the PAM RADIUS distribution, at the time of writing this is at version 1.3.7: pam_radius-1.3.7.tar.gz

Build the PAM RADIUS module, for most platforms just typing make in the distribution directory will work, if not please contact either the FreeRadius project or Nordic Edge Support for assistance.

If you receive the error: security/pam_modules.h: No such file or directory it is probable that your platform does not support PAM modules.

Once the module is built install it in the usual place for PAM modules on your system.

Here is a quick list of common locations:

  • Most Linux Versions: /lib/security/pam_radius_auth.so

  • Solaris: /usr/lib/security/pam_radius_auth.so.1

  • AIX >5.3: /usr/lib/security/pam_radius_auth.so

WARNING: From this point on, do not log out of your system until you have performed a successful login attempt after activation of the PAM RADIUS support.

Configure your servers PAM setup for SSH to use the new PAM RADIUS module, if you do not know how to do this contact Nordic Edge Support or your operating system vendor. 

A good rule of thumb is to add the module in sufficient level just before the standard UNIX authentication (usually pam_unix.so, pam_unix_auth.so or pam_unix2.so).

An example for a modern Linux server using "common-auth" for the authentication PAM modules would look similar to the following file (/etc/pam.d/common-auth):

  • auth   required    pam_env.so

  • auth   sufficient  pam_radius_auth.so

  • auth   required    pam_unix2.so

NOTE: After manually editing the PAM configuration, do not use automatic tools such as pam_config to make changes in the future, since these tools will usually overwrite the manual changes.

Copy and rename the pam_radius_auth.conf file to /etc/raddb/server and configure it to point at your Nordic Edge One Time Password server.

If your OTP server is at, for example 192.168.0.100 and you are using port 1812 for RADIUS clients; then you would add the line: 192.168.0.100:1812 secret 3 to the file. 

Replace the word secret with your RADIUS shared secret.

Make sure the One Time Password server and User Store Host are running. 

Now attempt to login as a user configured for OTP.

If the login succeeds then the installation was successful.

If the login fails then please contact Nordic Edge Support for assistance with troubleshooting.


Disclaimer

The origin of this information may be internal or external to Nordic Edge™. Nordic Edge™ makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Nordic Edge™ makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.

Nordic Edge Support – www.nordicedge.se

Download article as PDF

Comments are closed.