Wednesday, January 20, 2016

Set Ubuntu Desktop to use 2-factor authentication with RSA SecurID and LDAP

Prerequisite:
Ubuntu Version: 15.10
RSA SecurID
LDAP

Few weeks ago, I needed to make an ubuntu desktop for one of isolated network. This desktop is only for using to connect servers in IDC, this desktop is free from office job, eventually it is decided to deploy ubuntu desktops to use as "Thin" desktops.

Here are preconditions.
- Use 2 factor authentication.  
- Do not use USB storage: this desktop will connect directly to servers in IDC.
    . This precondition is solved by monitoring process using Splunk.

Let's talk about how to set as 2-factor authentication.

At the first time, I tried to use and follow as google said.
Unfortunately, it did not work and I decided to find workaround.
I edited "common-auth", it causes all users who try to connect, including remote access like SSH, it authenticates using 2 factor. 

Here are what I did.

1. Install libpam-radius-auth package


apt-get install libpam-radius-auth
/etc/pam_radius_auth.conf


2. Make files to be used instructions.


 echo "#!/bin/sh" > /usr/local/bin/notify-login
 echo "echo \"Enter Passcode\"" >> /usr/local/bin/notify-login
 echo "#!/bin/sh" > /usr/local/bin/notify-login-correct
 echo "echo \"Enter AD Password\"" >> /usr/local/bin/notify-login-correct
 echo "#!/bin/sh" > /usr/local/bin/notify-login-wrong
 echo "echo \"Wrong OTP Token\"" >> /usr/local/bin/notify-login-wrong
 chmod +x /usr/local/bin/notify-login /usr/local/bin/notify-login-correct /usr/local/bin/notify-login-wrong

3. Install and edit ldap files

 ################################################
 # Adding LDAP Auth configuration    #
 ################################################
 apt-get -y install ldap-auth-client nscd
 sed -i "s/\#bind_policy hard/bind_policy soft/g" /etc/ldap.conf
 sed -i 's/LOGIN_TIMEOUT\t\t60/LOGIN_TIMEOUT\t\t180/g' /etc/login.defs
 sed -i 's/^#pam_login_attribute sAMAccountName/pam_login_attribute sAMAccountName/g' /etc/ldap.conf
 sed -i 's/base dc=example,dc=net/base dc=EXAMPLE,dc=CORP/g' /etc/ldap.conf
 sed -i 's/^uri ldapi:\/\/\//uri ldap:\/\/SERVER1 ldap:\/\/SERVER2/g' /etc/ldap.conf
 sed -i 's/^rootbinddn cn=manager,dc=example,dc=net/binddn ACCOUNT\nbindpw PASSWORD\nrootbinddn account/g' /etc/ldap.conf
 chmod 644 /etc/ldap.conf
 sed -i 's/ use_first_pass//g' /etc/pam.d/common-auth

4. Edit /etc/pam.d/common-auth.

 ################################################
 # Configure PAM file to use RSA Auth    #
 ################################################
- it is one comman line.
 sed -i 's/auth\t\[success=2 default=ignore\]\tpam_unix.so nullok_secure/auth\toptional\tpam_exec.so\tstdout\t\/usr\/local\/bin\/notify-login\nauth\t\optional\tpam_unix.so\nauth\t\[success=2 default=ignore\]\tpam_radius_auth.so\nauth\toptional\tpam_exec.so\tstdout\t\/usr\/local\/bin\/notify-login-wrong\nauth\trequisite\tpam_deny.so\nauth\toptional\tpam_exec.so\tstdout\t\/usr\/local\/bin\/notify-login-correct/g' /etc/pam.d/common-auth

## Edited common-auth file:
auth optional pam_exec.so stdout /usr/local/bin/notify-login
auth optional pam_unix.so
auth [success=2 default=ignore] pam_radius_auth.so
auth optional pam_exec.so stdout /usr/local/bin/notify-login-wrong
auth requisite pam_deny.so
auth optional pam_exec.so stdout /usr/local/bin/notify-login-correct
auth [success=1 default=ignore] pam_ldap.so use_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so


5. Disable guest account for lightdm.

 ################################################
 # Disable Guest session    #
 ################################################
 echo "[SeatDefaults]" > /etc/lightdm/lightdm.conf
 echo "allow-guest=false" >> /etc/lightdm/lightdm.conf

6. Installing SplunkForwarder

 ################################################
 # Installing SplunkForwarder                   #
 ################################################
 apt-get install sshpass
 sshpass -p "PASSWORD" scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -r ubunter@FILESERVER:/home/sftp/ubunter/splunkforwarder-6.3.1-linux-2.6-amd64.deb ./
 dpkg -i ./splunkforwarder-6.3.1-linux-2.6-amd64.deb
 /opt/splunkforwarder/bin/splunk start --answer-yes --no-prompt --accept-license
 /opt/splunkforwarder/bin/splunk edit user admin -password "PASSWORD" -auth admin:changeme
 /opt/splunkforwarder/bin/splunk add forward-server SPLUNK:PORT
 /opt/splunkforwarder/bin/splunk set deploy-poll SPLUNK:PORT
 /opt/splunkforwarder/bin/splunk enable deploy-client
 /opt/splunkforwarder/bin/splunk add monitor /var/log/ -index idxsyslog -sourcetype linuxlog -hostname $IPAddress
 echo "bind Splunk to localhost only" >> /opt/splunkforwarder/etc/splunk-launch.conf
 echo "SPLUNK_BINDIP=127.0.0.1" >> /opt/splunkforwarder/etc/splunk-launch.conf
 /opt/splunkforwarder/bin/splunk enable boot-start
 /opt/splunkforwarder/bin/splunk restart
 chmod o+r /etc/pam_radius_auth.conf

After editing common-path, it works well. :D

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)