LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 06-16-2009, 03:41 PM   #1
tdnnash25
Member
 
Registered: Apr 2009
Posts: 63

Rep: Reputation: 15
SSH + PAM + two-factor authentication


I have SSH being two-factored at the moment using PAM Radius.

So, at the moment, if someone SSH's to my server, they'll be asked for a username and password (as usual). Upon successfully entering the correct credentials, they will receive a phone call (the two factor part) and will have to input a PIN for verification. After they put the PIN in the phone and press #, they get authenticated and are now on the server via SSH. All of this works great.

My server receive many unsuccessfull login attempts every day by random IP addresses from overseas. To prevent anyone from ever being able to login via SSH I put my two-factor in place. Now the thing is, I personally don't want two-factored every time I attempt to ssh to my own server.

This is what I want to accomplish:

If I SSH to my server from an IP address that I've never SSH'ed from before, I want it to accept my username and password, then two-factor me. After this, I want the IP address I connected from to be whitelisted so that I do not get two-factored any longer. So this would effectively accomplish the prevention of someone hacking into my server via SSH (because they don't have my phone, nor know my PIN), while at the same time give me the convenience of not having to be two-factored from my house, or work, or wherever I am all the time. I only want two factored 1 time per IP address, then have that IP address in a whitelist of some fashion.

So, any tips you could give me on whitelisting or helping me brainstorm some ideas for this would be greatly appreciated.
 
Old 06-16-2009, 05:01 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
Well if you use a separate account for each function then you could fairly easily rig something up. If you watch the contents of /var/log/secure, using a standard cron job or tail, (or one of those other more specific tools I can't remember then name of right now) to watch for your "two factor" account logging in from a certain address. This address can then be stuck into your access.conf file along with your personal user account to allow that account to log in from that IP, above a default deny for that user.

Alternatively I think the pam_listfile module might allow you to reference a list of IP addresses and be restricted to your user account, letting you add that into your system-auth stack (or whatever config you use within pam) as a Sufficient (i think) option above the rest. That would probably give you an easier way to only use a single account too.
 
Old 06-17-2009, 06:51 AM   #3
akiku
Member
 
Registered: Jun 2009
Distribution: Slackware
Posts: 62

Rep: Reputation: 17
I am in the process of implementing two-factor authentication, but using a low cost USB key. You may want to check this out at http://code.google.com/p/yubico-pam/...eyAndSSHViaPAM

You can find out more about the USB key here
 
Old 06-17-2009, 10:52 AM   #4
tdnnash25
Member
 
Registered: Apr 2009
Posts: 63

Original Poster
Rep: Reputation: 15
Confused

What my brain is being challenged by is this:

When you SSH to a server, you are presented with the screen to login. You type your username and password and are either logged in, or not logged in.

In the scenario that I'm trying to accomplish - users are always going to have to type a username and password (of course, that's a given). But, I want the users who have never connected from their IP address to be two-factored. They are obviously going to have to type the correct username and password to even get that far.

So, is it possible to say "okay, you typed the correct username and password, and since you haven't connected from your IP before, I now am going to pass you to my two-factor authentication method prior to you logging in completely"? Likewise ... "okay, you typed the correct username and password, and since you have connected from this IP before, you are now completely signed in to the shell".

My brain is being challenged by this, b/c the default behavior from what I understand (without two-factor), is that the username/password is checked in /etc/shadow and if correct you are signed in.

What needs to be done to see they typed the successful username/password and instead of just logging them straight in, passing something to the two-factor authentication method before logging them in?

I hope my rambling makes sense.
 
Old 06-17-2009, 11:02 AM   #5
tdnnash25
Member
 
Registered: Apr 2009
Posts: 63

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by tdnnash25 View Post
What my brain is being challenged by is this:

When you SSH to a server, you are presented with the screen to login. You type your username and password and are either logged in, or not logged in.

In the scenario that I'm trying to accomplish - users are always going to have to type a username and password (of course, that's a given). But, I want the users who have never connected from their IP address to be two-factored. They are obviously going to have to type the correct username and password to even get that far.

So, is it possible to say "okay, you typed the correct username and password, and since you haven't connected from your IP before, I now am going to pass you to my two-factor authentication method prior to you logging in completely"? Likewise ... "okay, you typed the correct username and password, and since you have connected from this IP before, you are now completely signed in to the shell".

My brain is being challenged by this, b/c the default behavior from what I understand (without two-factor), is that the username/password is checked in /etc/shadow and if correct you are signed in.

What needs to be done to see they typed the successful username/password and instead of just logging them straight in, passing something to the two-factor authentication method before logging them in?

I hope my rambling makes sense.

To add on to my rambling or maybe just simplify what I'm trying to accomplish.
1) verify username and password
2) if on whitelist, don't two-factor
3) if not on whitelist, do two-factor
 
Old 06-17-2009, 11:04 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
The more I've thought about it, the more I think the listfile solution would suit you really well.
 
Old 06-17-2009, 11:23 AM   #7
tdnnash25
Member
 
Registered: Apr 2009
Posts: 63

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by acid_kewpie View Post
The more I've thought about it, the more I think the listfile solution would suit you really well.
I am looking into this. I found this page which gives a good explanation and example: http://www.cyberciti.biz/tips/howto-...oup-login.html

If you look at the example, item=group, can you set item=IP? Then have the arbitrary file list IP addresses?
 
Old 06-17-2009, 11:27 AM   #8
tdnnash25
Member
 
Registered: Apr 2009
Posts: 63

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by tdnnash25 View Post
I am looking into this. I found this page which gives a good explanation and example: http://www.cyberciti.biz/tips/howto-...oup-login.html

If you look at the example, item=group, can you set item=IP? Then have the arbitrary file list IP addresses?
Found this:

item=[tty|user|rhost|ruser|group|shell]

What is listed in the file and should be checked for

From: http://www.kernel.org/pub/linux/libs..._listfile.html

So, according to pam_listfile you can't use item=IP ... so how could I whitelist? Unless rhost is IP ?
 
Old 06-17-2009, 01:24 PM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
That's what the rhost option is for, as I read the docs.
 
Old 06-17-2009, 01:35 PM   #10
tdnnash25
Member
 
Registered: Apr 2009
Posts: 63

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by acid_kewpie View Post
That's what the rhost option is for, as I read the docs.
Thanks. I'll give it a try and update here. Not sure I can test today. But, I will let you guys know soon in case anyone else comes across this.
 
Old 06-17-2009, 03:11 PM   #11
tdnnash25
Member
 
Registered: Apr 2009
Posts: 63

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by tdnnash25 View Post
Thanks. I'll give it a try and update here. Not sure I can test today. But, I will let you guys know soon in case anyone else comes across this.
pam_listfile with item=rhost does work if you add IP addresses / hostnames

Now I just need to figure out how to two-factor IP addresses that aren't in my file, and not two-factor IP addresses that are ... sigh
 
Old 06-17-2009, 03:41 PM   #12
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
well if you put the listfile entry between the password module and the two factor module then you can end the authentication between the two if it passes.
 
Old 06-17-2009, 10:53 PM   #13
tdnnash25
Member
 
Registered: Apr 2009
Posts: 63

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by acid_kewpie View Post
well if you put the listfile entry between the password module and the two factor module then you can end the authentication between the two if it passes.
My next question was going to be ...

in /etc/pam.d/ssh if I have a couple auth_required's ... does it process each of them? And, in order? I was thinking I could put the listifle in front of the two-factor, and was hoping it'd process the listfile first then the two factor.
 
Old 06-17-2009, 11:23 PM   #14
tdnnash25
Member
 
Registered: Apr 2009
Posts: 63

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by acid_kewpie View Post
well if you put the listfile entry between the password module and the two factor module then you can end the authentication between the two if it passes.
Not sure I follow what you mean. In my /etc/pam.d/ssh file, under the SSH section, all I have right now is the listfile module
 
Old 06-18-2009, 12:57 AM   #15
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,398

Rep: Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965Reputation: 1965
show us your pam config that is calling to the two-factor mobile phone thingy... presumably your password entry is done completely as normal and then a later module does this extra bit?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
I have AD authentication work, how do i make SSH PAM work in RHEL4? epmd Red Hat 0 09-19-2007 06:04 PM
LXer: How to secure VNC remote access with two-factor authentication LXer Syndicated Linux News 0 05-23-2007 02:46 PM
LXer: How to secure WebDAV with SSL and Two-Factor Authentication LXer Syndicated Linux News 0 04-18-2007 09:31 AM
SSH - Two Factor Security Using Cellphone Grasshopper Linux - Security 3 02-04-2007 03:31 AM
Two-factor authentication XsuX Linux - Security 1 11-28-2004 05:13 AM


All times are GMT -5. The time now is 03:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration