LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 11-17-2009, 10:14 AM   #1
LinuxLover
Member
 
Registered: Feb 2004
Distribution: Solaris 10/11 , RHEL 6 ,AIX 7.1
Posts: 188

Rep: Reputation: 32
two factor authentication


Hi,

We have around 150 Solaris and Linux servers in two remote datacenters.

Mostly we work by using ssh via site to site vpn connection. To secure it more ,and also a requirement for our audit we need to configure two factor authentication in order to access our servers.

I am looking at wikid http://www.wikidsystems.com/.

Is there any other/better software base solution to implement two factor authentication.

Looking forwarding for you valuable opinions.
 
Old 11-17-2009, 10:44 AM   #2
TB0ne
Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 15,071

Rep: Reputation: 2712Reputation: 2712Reputation: 2712Reputation: 2712Reputation: 2712Reputation: 2712Reputation: 2712Reputation: 2712Reputation: 2712Reputation: 2712Reputation: 2712
Quote:
Originally Posted by LinuxLover View Post
Hi,

We have around 150 Solaris and Linux servers in two remote datacenters.

Mostly we work by using ssh via site to site vpn connection. To secure it more ,and also a requirement for our audit we need to configure two factor authentication in order to access our servers.

I am looking at wikid http://www.wikidsystems.com/.

Is there any other/better software base solution to implement two factor authentication.

Looking forwarding for you valuable opinions.
That's a good solution, and I've used it before, but why would you need to? If you've got site-to-site VPN with any kind of decent security, that's pretty secure as is. I could perhaps see changing SSH ports to something other than 22, longer VPN passwords, etc., but c'mon. If this is on your internal network, which a VPN is essentially, it sounds like the auditors are trying to make themselves look valuable.
 
Old 11-17-2009, 11:19 AM   #3
LinuxLover
Member
 
Registered: Feb 2004
Distribution: Solaris 10/11 , RHEL 6 ,AIX 7.1
Posts: 188

Original Poster
Rep: Reputation: 32
Thanks for you reply.

We are in Payment Card Industry and two factor authentication is the requirement for PCI audit.

I have installed Wikid community edition but now stuck in client authentication.
 
Old 11-17-2009, 11:40 AM   #4
nickowen
LQ Newbie
 
Registered: Mar 2008
Posts: 18

Rep: Reputation: 0
Quote:
Originally Posted by LinuxLover View Post
Thanks for you reply.

We are in Payment Card Industry and two factor authentication is the requirement for PCI audit.

I have installed Wikid community edition but now stuck in client authentication.
What problem are you having? I'm more than happy to help out. Is your issue with the token client? or configuring your boxes to talk to the WiKID server?

nick
 
Old 11-17-2009, 12:57 PM   #5
LinuxLover
Member
 
Registered: Feb 2004
Distribution: Solaris 10/11 , RHEL 6 ,AIX 7.1
Posts: 188

Original Poster
Rep: Reputation: 32
Hi nickowen,

Thanks for you reply , currently we are looking its community version.But we are planning to purchase it commercial version. I will be highly apprciate you if you would help me in this regard,so for i have install the athentication server but not able to athenticate client from.For testing I am trying to authenticate a WindowXP box from it through Token client.
 
Old 11-17-2009, 02:45 PM   #6
nickowen
LQ Newbie
 
Registered: Mar 2008
Posts: 18

Rep: Reputation: 0
Quote:
Originally Posted by LinuxLover View Post
Hi nickowen,

Thanks for you reply , currently we are looking its community version.But we are planning to purchase it commercial version. I will be highly apprciate you if you would help me in this regard,so for i have install the athentication server but not able to athenticate client from.For testing I am trying to authenticate a WindowXP box from it through Token client.
ok. You can test to see if you WiKID software token is working by trying to add this domain server code: 888888888888. (under Actions, Create New Domain) If you get a pin prompt, then it should be working.

If it is, then it is probably an error on your server. What domain code do you have? It should be the zero-padded ip address of your server. So, 10.100.0.200 becomes 010100000200. The token needs to be able to route to the server over port 80. (we use public key encryption, so no need for SSL.)

If that all looks good, check the WiKIDAdmin logs (link on top left corner) and try running the token in debug mode:
http://www.wikidsystems.com/support/...client%20debug

HTH,

nick
 
Old 11-18-2009, 08:34 AM   #7
LinuxLover
Member
 
Registered: Feb 2004
Distribution: Solaris 10/11 , RHEL 6 ,AIX 7.1
Posts: 188

Original Poster
Rep: Reputation: 32
Thanks nickowen , for your valuable help.

I am able to connect by your giving instruction, in fact earliar I was mentioning wrong domain code.

Now Token client is able to connect at the next screen it give me some passode and timer coutdown from 30 seconds , as picture is annexed.So what the next step to add the client for athentication , How can I use this passcode?
Attached Images
File Type: jpg passcode.JPG (8.9 KB, 4 views)
 
Old 11-18-2009, 10:30 AM   #8
nickowen
LQ Newbie
 
Registered: Mar 2008
Posts: 18

Rep: Reputation: 0
Quote:
Originally Posted by LinuxLover View Post
Thanks nickowen , for your valuable help.

I am able to connect by your giving instruction, in fact earliar I was mentioning wrong domain code.

Now Token client is able to connect at the next screen it give me some passode and timer coutdown from 30 seconds , as picture is annexed.So what the next step to add the client for athentication , How can I use this passcode?
Great. We added a little test page to the server just for this purpose:

http://www.wikidsystems.com/support/...ing-correctly/

It is in /opt/WiKID/tomcat/webapps/WiKIDAdmin/ (as described). Change the default domain server code and the localhost passphrase and browse to the page, which is protected by the WiKIDAdmin creds. You should see html for registering/adding a token, authenticating an OTP, etc.
(This page demos all the functionality of the wAuth protocol/)

If this is working, you will probably want to think about testing this with your servers. It probably would make sense to do this test with the commercial version, which supports radius. You can try using ldap or tacacs (which is supported in pam), but radius is much cleaner. If you're using a commercial vpn, then radius is definitely the way to go.

If you use AD, you can also check out how to let users self-register based on their AD creds: http://www.wikidsystems.com/support/...ad-credentials
 
Old 11-18-2009, 12:22 PM   #9
LinuxLover
Member
 
Registered: Feb 2004
Distribution: Solaris 10/11 , RHEL 6 ,AIX 7.1
Posts: 188

Original Poster
Rep: Reputation: 32
Thanks for your help,

I installed the iso image and now able to verify the user at https://myserverurl/WiKIDAdmin/example.jsp


as given insttruction at http://www.wikidsystems.com/support/...nual-all-pages



It gives me message SUCCESS at top when I check user id in Online login:

Now how can I use this to configure for my user who connect to remote servers by ssh?
 
Old 11-19-2009, 10:24 AM   #10
nickowen
LQ Newbie
 
Registered: Mar 2008
Posts: 18

Rep: Reputation: 0
For ssh, on the open source Community edition your best bet is tacacs+: http://www.wikidsystems.com/support/...on-with-tacacs

I can't get ldap to work because PAM doesn't support the anonymous binds we use to validate the OTP.

For the enterprise version, Radius is the best bet: http://www.wikidsystems.com/support/...-radius-how-to

In both cases, you need to enable the protocol, create a network client and then restart the server. For tacacs, you probably also need to kick of the tacacs listener with:

# /opt/WiKID/bin/tac_plus -C /opt/WiKID/private/tacacs.conf

If you're intention is to go Enterprise, now is a good time to switch. You won't get any benefit testing with tacacs. It's not the best options for ssh. It's fine for switches.

hth,

nick
 
Old 11-20-2009, 11:11 AM   #11
LinuxLover
Member
 
Registered: Feb 2004
Distribution: Solaris 10/11 , RHEL 6 ,AIX 7.1
Posts: 188

Original Poster
Rep: Reputation: 32
Thanks for your reply,

I am trying to authenticate a ssh user from Enterprise version.But still not able to do so.

I have install the pam_radius_auth.so module as given link by you.

When I try to login on this system it dispaly this error in log file

Code:
Nov  3 09:01:00 nms-test sshd[8992]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 15178688. 
Nov  3 09:01:02 nms-test sshd[8992]: Failed password for ktahir from 192.168.150.3 port 4464 ssh2
Nov  3 09:01:15 nms-test sshd[8993]: Received disconnect from 192.168.150.3: 13: Authentication cancelled by user.


I am not very much sure what parameter need to be set on server side
I have enable radius , network client, created the use but unable to find any password option for that user.
Attached Images
File Type: jpg user.JPG (47.5 KB, 1 views)
File Type: jpg domain-1.JPG (57.9 KB, 1 views)
 
Old 11-21-2009, 07:09 AM   #12
LinuxLover
Member
 
Registered: Feb 2004
Distribution: Solaris 10/11 , RHEL 6 ,AIX 7.1
Posts: 188

Original Poster
Rep: Reputation: 32
Hi,

I have moved bit further with the help of below doc.

http://www.wikidsystems.com/support/...ion-from-wikid


Now when I try to connet to targnet server it fails aunthentication below are the logs


Log of Target server

Code:
Nov  3 21:02:33 nms-test sshd[10692]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 11803584. 
Nov  3 21:02:34 nms-test sshd[10692]: Failed password for ktahir from 192.168.150.3 port 1977 ssh2

Log of Wikid Server

Code:
tail -f /opt/WiKID/log/radius.log 

NASip is '192.168.150.109'
PAP Request
passcode is 123456
Checking ktahir:123456:192168150110
Check returned false

I am not sure about that passcode ? How to set in on Wikid server?
 
Old 11-21-2009, 10:47 AM   #13
LinuxLover
Member
 
Registered: Feb 2004
Distribution: Solaris 10/11 , RHEL 6 ,AIX 7.1
Posts: 188

Original Poster
Rep: Reputation: 32
Hi ,
I moved one step more .

I download Token client for linux jwikid.xx.jar in target linux machine to which I want to ssh.

Then added it in network client. Also pam etc set properly on target linux machine.


I generated the passcode by executing

# java -jar jwikid.x.x.jar from this target machine.


Now when I try to ssh my target machine it looks like that passcode is being authenticating form wikid server as given below

Code:
# tail -f   /opt/WiKID/log/radius.log 

NASip is '192.168.150.111'
PAP Request
passcode is 205690
Checking ktahir:205690:192168150110
Check returned true


User-Name (1), Length: 8, Data: [ktahir], 0x6B7461686972
User-Password (2), Length: 18, Data: 0xF43A844523FE9F09A2C0DA19C8754598
NAS-IP-Address (4), Length: 6, Data: [���o], [# 3232274031] / [IP 192.168.150.111], 0xC0A8966F
NAS-Identifier (32), Length: 6, Data: [sshd], [# 1936943204] / [IP 115.115.104.100], 0x73736864
NAS-Port (5), Length: 6, Data: [# 4263], 0x000010A7
NAS-Port-Type (61), Length: 6, Data: [# 5 (Virtual)], 0x00000005
Service-Type (6), Length: 6, Data: [# 8 (Authenticate-Only)], 0x00000008
Calling-Station-Id (31), Length: 15, Data: [192.168.150.3], 0x3139322E3136382E3135302E33



But still I am unable to login. Is repeat to ask passwod again and again.


Below is the log of target machine.


Code:
ov 22 01:40:54 alpha sshd[4263]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 13298656. 
Nov 22 01:40:54 alpha sshd[4263]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.150.3  user=ktahir
Nov 22 01:40:56 alpha sshd[4263]: Failed password for ktahir from 192.168.150.3 port 4558 ssh2

Last edited by LinuxLover; 11-21-2009 at 10:48 AM.
 
Old 11-23-2009, 08:43 AM   #14
nickowen
LQ Newbie
 
Registered: Mar 2008
Posts: 18

Rep: Reputation: 0
Quote:
Originally Posted by LinuxLover View Post
Hi,

I have moved bit further with the help of below doc.

http://www.wikidsystems.com/support/...ion-from-wikid


Now when I try to connet to targnet server it fails aunthentication below are the logs


Log of Target server

Code:
Nov  3 21:02:33 nms-test sshd[10692]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 11803584. 
Nov  3 21:02:34 nms-test sshd[10692]: Failed password for ktahir from 192.168.150.3 port 1977 ssh2

Log of Wikid Server

Code:
tail -f /opt/WiKID/log/radius.log 

NASip is '192.168.150.109'
PAP Request
passcode is 123456
Checking ktahir:123456:192168150110
Check returned false

I am not sure about that passcode ? How to set in on Wikid server?
The passcode needs to be generated from the token. If you got 123456 from a token, we might need to double-check our random number generator .
 
Old 11-23-2009, 08:47 AM   #15
nickowen
LQ Newbie
 
Registered: Mar 2008
Posts: 18

Rep: Reputation: 0
Quote:
Originally Posted by LinuxLover View Post
Hi ,
I moved one step more .

I download Token client for linux jwikid.xx.jar in target linux machine to which I want to ssh.

Then added it in network client. Also pam etc set properly on target linux machine.


I generated the passcode by executing

# java -jar jwikid.x.x.jar from this target machine.


Now when I try to ssh my target machine it looks like that passcode is being authenticating form wikid server as given below

Code:
# tail -f   /opt/WiKID/log/radius.log 

NASip is '192.168.150.111'
PAP Request
passcode is 205690
Checking ktahir:205690:192168150110
Check returned true


User-Name (1), Length: 8, Data: [ktahir], 0x6B7461686972
User-Password (2), Length: 18, Data: 0xF43A844523FE9F09A2C0DA19C8754598
NAS-IP-Address (4), Length: 6, Data: [���o], [# 3232274031] / [IP 192.168.150.111], 0xC0A8966F
NAS-Identifier (32), Length: 6, Data: [sshd], [# 1936943204] / [IP 115.115.104.100], 0x73736864
NAS-Port (5), Length: 6, Data: [# 4263], 0x000010A7
NAS-Port-Type (61), Length: 6, Data: [# 5 (Virtual)], 0x00000005
Service-Type (6), Length: 6, Data: [# 8 (Authenticate-Only)], 0x00000008
Calling-Station-Id (31), Length: 15, Data: [192.168.150.3], 0x3139322E3136382E3135302E33



But still I am unable to login. Is repeat to ask passwod again and again.


Below is the log of target machine.


Code:
ov 22 01:40:54 alpha sshd[4263]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 13298656. 
Nov 22 01:40:54 alpha sshd[4263]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.150.3  user=ktahir
Nov 22 01:40:56 alpha sshd[4263]: Failed password for ktahir from 192.168.150.3 port 4558 ssh2
If the WiKID server is returning true and the target SSH server is not validating the user, then the problem is most likely with your /etc/pam.d/sshd file. Do you have this line:

auth sufficient /lib/security/pam_radius_auth.so

? Post you /etc/pam.d/sshd file and I'll have a look.

nick
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Perl or PHP Script that can tail /var/log/auth.log - two-factor authentication tdnnash25 Linux - Server 1 06-18-2009 09:36 PM
SSH + PAM + two-factor authentication tdnnash25 Linux - Security 21 06-18-2009 05:47 PM
LXer: How to secure VNC remote access with two-factor authentication LXer Syndicated Linux News 0 05-23-2007 03:46 PM
LXer: How to secure WebDAV with SSL and Two-Factor Authentication LXer Syndicated Linux News 0 04-18-2007 10:31 AM
Two-factor authentication XsuX Linux - Security 1 11-28-2004 06:13 AM


All times are GMT -5. The time now is 09:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration