I was wondering if someone could help thin down our lines of enquiry regarding our authentication regime. I'm in the very early stages of working out what is needed here so please forgive any vagueness.
This is an estate of Debian based servers running in a remote data centre.
So the admins need to ssh in over the WAN into the internal network.
There are only 3 user accounts on each just now, and about 15 servers (and growing). I am only looking authenticating at ssh access here.
Requirements:
- PCI DSS password controls (complexity, account aging etc.)
- Centralized administration of user accounts (if at all possible)
- Two-factor authentication
- Passwords transmitted only in encrypted form
Currently we have OPIE as our two-factor auth running on a box we use as a ssh stepping stone to enter the internal network. Inside the internal network we use ssh with each box authenticating locally with PAM and standard unix passwords (using cracklib & pam_unix).
This works from a PCI perspective, but obviously isn't centralized so requires Keepass or similar to keep track of all passwords as they expire and are changed.
Have so far looked at Freeradius to provide a centralized authentication server which is queried from the client via pam_radius_auth. Freeradius can be configured to use the auth-type System so we would only have to administer accounts on that 1 server. Trouble with this is that user account aging warnings don't seem to be sent back to the clients using pam_radius_auth.
So I am wondering if I should be looking at LDAP. I believe it can enforce password aging controls itself from the backend, pam_cracklib can continue to enforce complexity locally. I believe there are OTP solutions for ldap also.
Can anyone provide an insight as to whether LDAP-only, or radius/LDAP would make sense with the above set up and requirements?
Would the added complexity be worth it for such a small estate?
I am also hazy as to how radius and LDAP interact. If using LDAP, do I even need radius?.. since LDAP appears have suitable pam modules to authenticate ssh sessions.
Any insights would be welcome.