From 560274c4010db6139697a0ea90ed4a6f80e8b3ec Mon Sep 17 00:00:00 2001 From: Yubi-David Date: Wed, 28 Apr 2021 10:15:20 -0500 Subject: [PATCH 1/4] Delete YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc Removing FreeRADIUS documentation --- doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc | 223 -------------------- 1 file changed, 223 deletions(-) delete mode 100644 doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc diff --git a/doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc b/doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc deleted file mode 100644 index e9421284..00000000 --- a/doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc +++ /dev/null @@ -1,223 +0,0 @@ -Yubico PAM Single-factor configuration guide --------------------------------------------- - -Step by Step Guide for Configuration of Yubico PAM module to provide single -factor YubiKey OTP authentication for RADIUS server. - -Introduction ------------- -The purpose of this document is to guide readers through the configuration -steps to enable single factor authentication using YubiKey and RADIUS server -on Linux platform. This document assumes that the reader has advance knowledge -and experience in Linux system administration, particularly how to configure -PAM authentication mechanism on a Linux platform. - - -Details -------- - -Prerequisites -------------- - -Successful configuration of the Yubico PAM module to support single factor -authentication for RADIUS requires following prerequisites: - -* Operating System: Any Unix operating system which supports PAM - (Pluggable Authentication Module) - (http://www.kernel.org/pub/linux/libs/pam/) -* Complier : GNU GCC complier (http://gcc.gnu.org/) -* FreeRADIUS: FreeRADIUS Version: 1.1.7 or *later* - (http://freeradius.org/download.html) -* Yubico PAM Module: Yubico PAM Module Version 1.8 - (https://developers.yubico.com/yubico-pam/) - - -Configuration -------------- - -Configuration of FreeRADIUS server to support PAM authentication : ------------------------------------------------------------------- - -* Edit the radiusd configuration file “/etc/raddb/radiusd.conf” to make - following changes: ------- - * Change user and group to “root” to provide the root privileges to - radiusd daemon so that it can call and use pam modules for authentication. - NOTE: Generally, it is not a good security practice to assign root - privileges to a user for a daemon. However, since use of PAM requires root - privileges, this is a mandatory step here. - * In “authenticate” section uncomment pam to direct radiusd daemon to use PAM - module for authentication ------- -* Edit the client configuration file “/etc/raddb/clients.conf” ------- - Add sample client for testing ------- -* Edit the user configuration file “/etc/raddb/users” to make following change: ------- - Change "DEFAULT Auth-Type = System" to "DEFAULT Auth-Type = pam" for using - PAM modules for user authentication ------- - -Installation of pam_yubico module : ------------------------------------ -Build instructions for pam_yubico are available in the README. -(https://developers.yubico.com/yubico-pam/) - -Configuration of pam_yubico module : ------------------------------------- -Configuration instructions for pam_yubico are also available in the README. -(https://developers.yubico.com/yubico-pam/) - -_Make sure you set your system up for either central authorization mapping, -or user level mapping, as this will control which users can connect to the -system using RADIUS._ - -Configuration of modified pam_yubico.so module at administrative level : ------------------------------------------------------------------------- - -Append the following line to the beginning of /etc/pam.d/radiusd file: - ------- - auth required pam_yubico.so id=16 debug authfile=/etc/yubikey_mappings ------- - -After the above configuration changes, whenever a user connects to the -server using any RADIUS client, the PAM authentication interface will pass -the control to Yubico PAM module. - -The Yubico PAM module first checks the presence of authfile argument in PAM -configuration. If authfile argument is present, it parses the corresponding -mapping file and verifies the username with corresponding YubiKey PublicID -as configured in the mapping file. - -If valid, the Yubico PAM module extracts the OTP string and sends it to the -Yubico authentication server or else it reports failure. If authfile argument -is present but the mapping file is not present at the provided path PAM -module reports failure. After successful verification of OTP Yubico PAM module -from the Yubico authentication server, a success code is returned. - - -User Level : ------------- - -Although, user level configuration of pam_yubico is possible, this might not -be a desired configuration option in case of radisud daemon in most enterprise. - - -Configuration of selinux policy to create exception for radiusd daemon : ------------------------------------------------------------------------ -Local effective selinux policy must be updated to provide sufficient -privileges to radiusd daemon on system resources. Please follow the steps below -to configure effective selinux policy for radiusd daemon: - -* Start the radiusd daemon -* Test the RADIUS authentication with the test case provided in “Testing the - configuration” section below -* As radiusd daemon doesn’t have sufficient selinux privileges to access the - system resources required for using pam modules, the RADIUS authentication - will fail. -* This will create the logs in either “/var/log/messages” or in - “/var/log/audit/audit.log” depending on the selinux configuration. -* We can use audit2allow utility to provide selinux privileges to radiusd by - using following sequence of commands: - ------- - [root@testsrv ~]# audit2allow -m local -l -i /var/log/messages > local.te - - [root@testsrv ~]# checkmodule -M -m -o local.mod local.te - - [root@testsrv ~]# semodule_package -o local.pp -m local.mod - - [root@testsrv ~]# semodule -i local.pp ------- - -For more selinux policy updating information and explanation of above commands -please visit the following website: - - http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - - -Configuration of FreeRADIUS PAM file : --------------------------------------- - -FreeRADIUS server first authorizes presence of user in the configured database -and then authenticates it. - -In a single factor YubiKey authentication, we must provide a PAM mechanism to -authorize the presence of user. - -We are using “pam_listfile.so” PAM module to provide a PAM mechanism to -authorize the presence of user. For this, we need to provide a file containing -authorized user names to the “pam_listfile.so” file. This file should contain -user names with only one user name on each line as follows: - -For example: - ------- - paul ------- - -The user_name file must be created/updated manually before configuration of -Yubico PAM module for RADIUS authentication. Once this file is ready, we need -to edit the FreeRADIUS PAM configuration file “/etc/pam.d/radiusd” and replace -its contents with following lines: - ------- - auth sufficient pam_yubico.so id=16 debug authfile=/etc/yubikeyid - account required pam_listfile.so onerr=fail item=user sense=allow file= ------- - - -Test Setup : ------------- - -Our test environment is as follows: - -* Operating System: Fedora release 8 (Werewolf) -* FreeRADIUS Server : FreeRADIUS Version 1.1.7 and Version 2.1.3 -* Yubico PAM: pam_yubico Version 1.8 -* "/etc/pam.d/radiusd" file: - ------- - auth sufficient pam_yubico.so id=16 debug authfile=/etc/yubikeyid - account required pam_listfile.so onerr=fail item=user sense=allow file=/etc/yubicousers ------- - -Testing the configuration : ---------------------------- - -We have tested the pam_yubico configuration on following Linux sever platforms: - -* Fedora 8: ------- - * Operating system: Fedora release 8 (Werewolf) - * FreeRADIUS Server : FreeRADIUS Version 1.1.7 and Version 2.1.3 - * Yubico PAM: pam_yubico Version 1.8 ------- -* Fedora 6: ------- - * Operating system: Fedora Core release 6 (Zod) - * FreeRADIUS Server : FreeRADIUS Version 1.1.7 and Version 2.1.3 - * Yubico PAM: pam_yubico Version 1.8 ------- - -To test the RADIUS single factor authentication with YubiKey, we can use -“radtest” radius client. The command is as follows: - ------- - [root@testsrv ~]# radtest {username} \ - {password followed by YubiKey generated OTP} \ - {radius-server}:{radius server port} \ - {nas-port-number} \ - {secret/ppphint/nasname} - - [root@testsrv ~]# radtest test vrkvfefuitvfvgu...ildbdk 127.0.0.1 0 testing123 ------- - - -Note : ------- -The FreeRADIUS server version 1.1.3 seems to have problems regarding memory -management and it may result in Segmentation Fault if configured with Yubico -PAM module. We recommend using FreeRADIUS server version 1.1.7 or above. From 35026da5a5e9045fbb8237f95c83d9ddd8ce42f8 Mon Sep 17 00:00:00 2001 From: Yubi-David Date: Wed, 28 Apr 2021 10:15:56 -0500 Subject: [PATCH 2/4] Delete YubiKey_and_FreeRADIUS_via_PAM.adoc Removing FreeRADIUS documentation --- doc/YubiKey_and_FreeRADIUS_via_PAM.adoc | 189 ------------------------ 1 file changed, 189 deletions(-) delete mode 100644 doc/YubiKey_and_FreeRADIUS_via_PAM.adoc diff --git a/doc/YubiKey_and_FreeRADIUS_via_PAM.adoc b/doc/YubiKey_and_FreeRADIUS_via_PAM.adoc deleted file mode 100644 index 6b960cea..00000000 --- a/doc/YubiKey_and_FreeRADIUS_via_PAM.adoc +++ /dev/null @@ -1,189 +0,0 @@ -== Yubico PAM Two-factor configuration guide == - -Step by Step Guide for Configuration of Yubico PAM module to provide Two-factor -legacy Username + password + YubiKey OTP authentication for RADIUS server. - -=== Introduction === -The purpose of this document is to guide readers through the configuration -steps to enable two factor authentication using YubiKey and RADIUS server on -Linux platform. This document assumes that the reader has advance knowledge -and experience in Linux system administration, particularly how to configure -PAM authentication mechanism on a Linux platform. - -Although this configuration guide focuses on configuration of radiusd daemon for -local authentication using the custom database (we have used /etc/passwd), -radiusd can be configured easily to use centralized LDAP database for -authentication or any popular directory service by configuring appropriate PAM -modules in radiusd PAM configuration file. - - -=== Prerequisites === -Successful configuration of the Yubico PAM module to support two factor -authentication for RADIUS requires following prerequisites: - -Operating System:: -Any Unix operating system which supports http://www.kernel.org/pub/linux/libs/pam[PAM] -(Pluggable Authentication Module) - -Complier:: http://gcc.gnu.org[GNU GCC complier] - -http://freeradius.org/download.html[FreeRADIUS]:: Version: 1.1.7 or later - -https://developers.yubico.com/yubico-pam[Yubico PAM Module]:: Version 1.8 - -=== Configuration === -We assume that FreeRADIUS is already installed on the server. - -==== Configuration of FreeRADIUS server to support PAM authentication ==== - -* Edit the radiusd configuration file `/etc/raddb/radiusd.conf` to make - following changes: - - - Change user and group to “root” to provide the root privileges to - radiusd daemon so that it can call and use pam modules for authentication. - - - In “authenticate” section uncomment pam to direct radiusd daemon to use PAM - module for authentication - -NOTE: Generally, it is not a good security practice to assign root -privileges to a user for a daemon. However, since use of PAM requires root -privileges, this is a mandatory step here. - -* Add sample client for testing in the client configuration - file `/etc/raddb/clients.conf`. - -* Edit the user configuration file `/etc/raddb/users`, changing - `DEFAULT Auth-Type = System` to `DEFAULT Auth-Type = pam` for using - PAM modules for user authentication. - - -=== Installation of pam_yubico module === - -Build instructions for pam_yubico are available in the README. -(https://developers.yubico.com/yubico-pam/) - - -=== Configuration of pam_yubico module === - -Configuration instructions for pam_yubico are also available in the README. -(https://developers.yubico.com/yubico-pam/) - -NOTE: Make sure you set your system up for either central authorization mapping, -or user level mapping, as this will control which users can connect to the -system using RADIUS. - - -=== Configuration of modified pam_yubico.so module at administrative level === - -Append the following line to the beginning of /etc/pam.d/radiusd file: - - auth required pam_yubico.so id=16 debug authfile=/etc/yubikey_mappings - -After the above configuration changes, whenever a user connects to the -server using any RADIUS client, the PAM authentication interface will pass -the control to Yubico PAM module. - -The Yubico PAM module first checks the presence of authfile argument in PAM -configuration. If authfile argument is present, it parses the corresponding -mapping file and verifies the username with corresponding YubiKey PublicID -as configured in the mapping file. - -If valid, the Yubico PAM module extracts the OTP string and sends it to the -Yubico authentication server or else it reports failure. If authfile argument -is present but the mapping file is not present at the provided path PAM -module reports failure. After successful verification of OTP Yubico PAM module -from the Yubico authentication server, a success code is returned. - - -==== User Level ==== - -Although, user level configuration of pam_yubico is possible, this might not -be a desired configuration option in case of radisud daemon in most enterprise. - - -=== Configuration of SElinux policy to create exception for radiusd daemon === -Local effective SElinux policy must be updated to provide sufficient -privileges to radiusd daemon on system resources. Please follow the steps below -to configure effective selinux policy for radiusd daemon: - -* Start the radiusd daemon -* Test the RADIUS authentication with the test case provided in “Testing the - configuration” section below -* As radiusd daemon doesn’t have sufficient selinux privileges to access the - system resources required for using pam modules, the RADIUS authentication - will fail. -* This will create the logs in either “/var/log/messages” or in - “/var/log/audit/audit.log” depending on the selinux configuration. -* We can use audit2allow utility to provide selinux privileges to radiusd by - using following sequence of commands: - ----- -[root@testsrv ~]# audit2allow -m local -l -i /var/log/messages > local.te - -[root@testsrv ~]# checkmodule -M -m -o local.mod local.te - -[root@testsrv ~]# semodule_package -o local.pp -m local.mod - -[root@testsrv ~]# semodule -i local.pp ----- - -For more selinux policy updating information and explanation of above commands -please visit the following website: - - http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - - -=== Test Setup === - -Our test environment is as follows: - -[horizontal] -*Operating System*:: Fedora release 8 (Werewolf) -*FreeRADIUS Server*:: Version 1.1.7 -*Yubico PAM*:: Version 1.8 -*/etc/pam.d/radiusd file*:: -+ ----- -auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug -auth include system-auth -account required pam_nologin.so -account include system-auth -password include system-auth -session include system-auth ----- - - -=== Testing the configuration === - -We have tested the pam_yubico configuration on following Linux sever platforms: - -Fedora 8: - -* Operating system: Fedora release 8 (Werewolf) -* FreeRADIUS Server : FreeRADIUS Version 1.1.7 -* Yubico PAM: pam_yubico Version 1.8 - -Fedora 6: - -* Operating system: Fedora Core release 6 (Zod) -* FreeRADIUS Server : FreeRADIUS Version 1.1.7 -* Yubico PAM: pam_yubico Version 1.8 - -To test the RADIUS two factor authentication with YubiKey, we can use -'radtest' radius client. The command is as follows: - ----- -[root@testsrv ~]# radtest {username} \ - {password followed by YubiKey generated OTP} \ - {radius-server}:{radius server port} \ - {nas-port-number} \ - {secret/ppphint/nasname} - -[root@testsrv ~]# radtest test test123vrkvit...bekkjc 127.0.0.1 0 testing123 ----- - - -NOTE: -The FreeRADIUS server version 1.1.3 seems to have problems regarding memory -management and it may result in Segmentation Fault if configured with Yubico -PAM module. We recommend using FreeRADIUS server version 1.1.7 or above. From f0269ead8d0239ab31648b58d5440a88ec017730 Mon Sep 17 00:00:00 2001 From: Yubi-David Date: Wed, 28 Apr 2021 10:17:27 -0500 Subject: [PATCH 3/4] Delete YubiKey_and_FreeRADIUS_via_PAM.adoc Removing FreeRADIUS documentation --- doc/YubiKey_and_FreeRADIUS_via_PAM.adoc | 189 ------------------------ 1 file changed, 189 deletions(-) delete mode 100644 doc/YubiKey_and_FreeRADIUS_via_PAM.adoc diff --git a/doc/YubiKey_and_FreeRADIUS_via_PAM.adoc b/doc/YubiKey_and_FreeRADIUS_via_PAM.adoc deleted file mode 100644 index 6b960cea..00000000 --- a/doc/YubiKey_and_FreeRADIUS_via_PAM.adoc +++ /dev/null @@ -1,189 +0,0 @@ -== Yubico PAM Two-factor configuration guide == - -Step by Step Guide for Configuration of Yubico PAM module to provide Two-factor -legacy Username + password + YubiKey OTP authentication for RADIUS server. - -=== Introduction === -The purpose of this document is to guide readers through the configuration -steps to enable two factor authentication using YubiKey and RADIUS server on -Linux platform. This document assumes that the reader has advance knowledge -and experience in Linux system administration, particularly how to configure -PAM authentication mechanism on a Linux platform. - -Although this configuration guide focuses on configuration of radiusd daemon for -local authentication using the custom database (we have used /etc/passwd), -radiusd can be configured easily to use centralized LDAP database for -authentication or any popular directory service by configuring appropriate PAM -modules in radiusd PAM configuration file. - - -=== Prerequisites === -Successful configuration of the Yubico PAM module to support two factor -authentication for RADIUS requires following prerequisites: - -Operating System:: -Any Unix operating system which supports http://www.kernel.org/pub/linux/libs/pam[PAM] -(Pluggable Authentication Module) - -Complier:: http://gcc.gnu.org[GNU GCC complier] - -http://freeradius.org/download.html[FreeRADIUS]:: Version: 1.1.7 or later - -https://developers.yubico.com/yubico-pam[Yubico PAM Module]:: Version 1.8 - -=== Configuration === -We assume that FreeRADIUS is already installed on the server. - -==== Configuration of FreeRADIUS server to support PAM authentication ==== - -* Edit the radiusd configuration file `/etc/raddb/radiusd.conf` to make - following changes: - - - Change user and group to “root” to provide the root privileges to - radiusd daemon so that it can call and use pam modules for authentication. - - - In “authenticate” section uncomment pam to direct radiusd daemon to use PAM - module for authentication - -NOTE: Generally, it is not a good security practice to assign root -privileges to a user for a daemon. However, since use of PAM requires root -privileges, this is a mandatory step here. - -* Add sample client for testing in the client configuration - file `/etc/raddb/clients.conf`. - -* Edit the user configuration file `/etc/raddb/users`, changing - `DEFAULT Auth-Type = System` to `DEFAULT Auth-Type = pam` for using - PAM modules for user authentication. - - -=== Installation of pam_yubico module === - -Build instructions for pam_yubico are available in the README. -(https://developers.yubico.com/yubico-pam/) - - -=== Configuration of pam_yubico module === - -Configuration instructions for pam_yubico are also available in the README. -(https://developers.yubico.com/yubico-pam/) - -NOTE: Make sure you set your system up for either central authorization mapping, -or user level mapping, as this will control which users can connect to the -system using RADIUS. - - -=== Configuration of modified pam_yubico.so module at administrative level === - -Append the following line to the beginning of /etc/pam.d/radiusd file: - - auth required pam_yubico.so id=16 debug authfile=/etc/yubikey_mappings - -After the above configuration changes, whenever a user connects to the -server using any RADIUS client, the PAM authentication interface will pass -the control to Yubico PAM module. - -The Yubico PAM module first checks the presence of authfile argument in PAM -configuration. If authfile argument is present, it parses the corresponding -mapping file and verifies the username with corresponding YubiKey PublicID -as configured in the mapping file. - -If valid, the Yubico PAM module extracts the OTP string and sends it to the -Yubico authentication server or else it reports failure. If authfile argument -is present but the mapping file is not present at the provided path PAM -module reports failure. After successful verification of OTP Yubico PAM module -from the Yubico authentication server, a success code is returned. - - -==== User Level ==== - -Although, user level configuration of pam_yubico is possible, this might not -be a desired configuration option in case of radisud daemon in most enterprise. - - -=== Configuration of SElinux policy to create exception for radiusd daemon === -Local effective SElinux policy must be updated to provide sufficient -privileges to radiusd daemon on system resources. Please follow the steps below -to configure effective selinux policy for radiusd daemon: - -* Start the radiusd daemon -* Test the RADIUS authentication with the test case provided in “Testing the - configuration” section below -* As radiusd daemon doesn’t have sufficient selinux privileges to access the - system resources required for using pam modules, the RADIUS authentication - will fail. -* This will create the logs in either “/var/log/messages” or in - “/var/log/audit/audit.log” depending on the selinux configuration. -* We can use audit2allow utility to provide selinux privileges to radiusd by - using following sequence of commands: - ----- -[root@testsrv ~]# audit2allow -m local -l -i /var/log/messages > local.te - -[root@testsrv ~]# checkmodule -M -m -o local.mod local.te - -[root@testsrv ~]# semodule_package -o local.pp -m local.mod - -[root@testsrv ~]# semodule -i local.pp ----- - -For more selinux policy updating information and explanation of above commands -please visit the following website: - - http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - - -=== Test Setup === - -Our test environment is as follows: - -[horizontal] -*Operating System*:: Fedora release 8 (Werewolf) -*FreeRADIUS Server*:: Version 1.1.7 -*Yubico PAM*:: Version 1.8 -*/etc/pam.d/radiusd file*:: -+ ----- -auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug -auth include system-auth -account required pam_nologin.so -account include system-auth -password include system-auth -session include system-auth ----- - - -=== Testing the configuration === - -We have tested the pam_yubico configuration on following Linux sever platforms: - -Fedora 8: - -* Operating system: Fedora release 8 (Werewolf) -* FreeRADIUS Server : FreeRADIUS Version 1.1.7 -* Yubico PAM: pam_yubico Version 1.8 - -Fedora 6: - -* Operating system: Fedora Core release 6 (Zod) -* FreeRADIUS Server : FreeRADIUS Version 1.1.7 -* Yubico PAM: pam_yubico Version 1.8 - -To test the RADIUS two factor authentication with YubiKey, we can use -'radtest' radius client. The command is as follows: - ----- -[root@testsrv ~]# radtest {username} \ - {password followed by YubiKey generated OTP} \ - {radius-server}:{radius server port} \ - {nas-port-number} \ - {secret/ppphint/nasname} - -[root@testsrv ~]# radtest test test123vrkvit...bekkjc 127.0.0.1 0 testing123 ----- - - -NOTE: -The FreeRADIUS server version 1.1.3 seems to have problems regarding memory -management and it may result in Segmentation Fault if configured with Yubico -PAM module. We recommend using FreeRADIUS server version 1.1.7 or above. From d116f8f141f99313ef608ba35a573bfc586a3841 Mon Sep 17 00:00:00 2001 From: Yubi-David Date: Wed, 28 Apr 2021 10:22:08 -0500 Subject: [PATCH 4/4] Delete Ubuntu_FreeRadius_YubiKey.adoc Removing FreeRADIUS documentation --- doc/Ubuntu_FreeRadius_YubiKey.adoc | 278 ----------------------------- 1 file changed, 278 deletions(-) delete mode 100644 doc/Ubuntu_FreeRadius_YubiKey.adoc diff --git a/doc/Ubuntu_FreeRadius_YubiKey.adoc b/doc/Ubuntu_FreeRadius_YubiKey.adoc deleted file mode 100644 index ade47a6e..00000000 --- a/doc/Ubuntu_FreeRadius_YubiKey.adoc +++ /dev/null @@ -1,278 +0,0 @@ -Ubuntu FreeRadius YubiKey -------------------------- - -Create and login to a fresh Ubuntu 10.04 LTS machine: - ------- -vmbuilder kvm ubuntu \ - --dest /var/lib/libvirt/images/freeradius \ - --proxy http://192.168.1.2/ubuntu \ - --rootsize 10000 \ - --mem 600 \ - --suite lucid \ - --flavour virtual \ - --addpkg unattended-upgrades \ - --addpkg openssh-server \ - --addpkg avahi-daemon \ - --addpkg acpid \ - --ssh-key /root/.ssh/authorized_keys \ - --libvirt qemu:///system \ - --hostname freeradius \ - --bridge br0 \ - --debug -ssh -l root freeradius.local ------- - -Install and configure software : --------------------------------- - ------- - apt-get install build-essential wget - apt-get install libpam0g-dev libykclient3 libykclient-dev ------- - -Install PAM module: - ------- - wget http://yubico-pam.googlecode.com/files/pam_yubico-2.4.tar.gz - tar xfz pam_yubico-2.4.tar.gz - cd pam_yubico-2.4 - ./configure - make check install - ln -s /usr/local/lib/security/pam_yubico.so /lib/security/ ------- - -Setup PAM debug log file: - ------- - touch /var/run/pam-debug.log - chmod go+w /var/run/pam-debug.log - tail -F /var/run/pam-debug.log & ------- - -Install FreeRadius: - ------- - apt-get install freeradius - /etc/init.d/freeradius stop ------- - -Next we configure FreeRadius. First add this to /etc/freeradius/users: - ------- - DEFAULT Auth-Type = pam ------- - -Then comment out 'pap' and uncomment 'pam' from -/etc/freeradius/sites-available/default. - -Add to the top of /etc/pam.d/radiusd: - ------- - auth sufficient pam_yubico.so id=1 debug authfile=/etc/yubikey_mapping ------- - -If you want to use HMAC signing, specify the 'key=' field too, like this: - ------- - auth sufficient pam_yubico.so id=1 key=b64foo debug authfile=/etc/yubikey_mapping ------- - -Create a file /etc/yubikey_mapping (ccccccccltnc is Alice's YubiKey's public ID) : - ------- - alice:ccccccccltnc ------- - -Create a Unix account 'alice': XXX should not be necessary? - ------- - adduser --disabled-password alice ------- - -Just press RET and finally 'y RET' on the prompts. - -Start radiusd: - ------- - LD_PRELOAD=/lib/libpam.so.0 freeradius -X ------- - - -Testing authentication : ------------------------- - -Confirm that it works with radtest (use a real OTP from Alice's YubiKey) : - ------- - radtest alice ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef 127.0.0.1 0 testing123 ------- - -Output should be like this: - ------- -Sending Access-Request of id 69 to 127.0.0.1 port 1812 - User-Name = "alice" - User-Password = "ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef" - NAS-IP-Address = 127.0.1.1 - NAS-Port = 0 -rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=69, length=20 ------- - -PAM debug output should be like this: - ------- -[pam_yubico.c:parse_cfg(404)] called. -[pam_yubico.c:parse_cfg(405)] flags 0 argc 3 -[pam_yubico.c:parse_cfg(407)] argv[0]=id=1 -[pam_yubico.c:parse_cfg(407)] argv[1]=debug -[pam_yubico.c:parse_cfg(407)] argv[2]=authfile=/etc/yubikey_mapping -[pam_yubico.c:parse_cfg(408)] id=1 -[pam_yubico.c:parse_cfg(409)] key=(null) -[pam_yubico.c:parse_cfg(410)] debug=1 -[pam_yubico.c:parse_cfg(411)] alwaysok=0 -[pam_yubico.c:parse_cfg(412)] verbose_otp=0 -[pam_yubico.c:parse_cfg(413)] try_first_pass=0 -[pam_yubico.c:parse_cfg(414)] use_first_pass=0 -[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mapping -[pam_yubico.c:parse_cfg(416)] ldapserver=(null) -[pam_yubico.c:parse_cfg(417)] ldap_uri=(null) -[pam_yubico.c:parse_cfg(418)] ldapdn=(null) -[pam_yubico.c:parse_cfg(419)] user_attr=(null) -[pam_yubico.c:parse_cfg(420)] yubi_attr=(null) -[pam_yubico.c:pam_sm_authenticate(452)] get user returned: alice -[pam_yubico.c:pam_sm_authenticate(542)] conv returned: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef -[pam_yubico.c:pam_sm_authenticate(558)] OTP: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef ID: ccccccccltnc -[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (0): Success -[pam_yubico.c:check_user_token(117)] Authorization line: alice:ccccccccltnc -[pam_yubico.c:check_user_token(121)] Matched user: alice -[pam_yubico.c:check_user_token(125)] Authorization token: ccccccccltnc -[pam_yubico.c:check_user_token(128)] Match user/token as alice/ccccccccltnc -[pam_yubico.c:pam_sm_authenticate(625)] done. [Success] ------- - -FreeRadius debug output should be like this: - ------- -rad_recv: Access-Request packet from host 127.0.0.1 port 38575, id=69, length=89 - User-Name = "alice" - User-Password = "ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef" - NAS-IP-Address = 127.0.1.1 - NAS-Port = 0 -+- entering group authorize {...} -++[preprocess] returns ok -++[chap] returns noop -++[mschap] returns noop -[suffix] No '@' in User-Name = "alice", looking up realm NULL -[suffix] No such realm "NULL" -++[suffix] returns noop -[eap] No EAP-Message, not doing EAP -++[eap] returns noop -[files] users: Matched entry DEFAULT at line 204 -++[files] returns ok -++[expiration] returns noop -++[logintime] returns noop -Found Auth-Type = PAM -+- entering group authenticate {...} -pam_pass: using pamauth string for pam.conf lookup -pam_pass: authentication succeeded for -++[pam] returns ok -+- entering group post-auth {...} -++[exec] returns noop -Sending Access-Accept of id 69 to 127.0.0.1 port 38575 -Finished request 0. -Going to the next request -Waking up in 4.9 seconds. -Cleaning up request 0 ID 69 with timestamp +17 -Ready to process requests. ------- - -Testing a OTP replay : ----------------------- - -Run the command again, with the _same_ OTP : - ------- -radtest alice ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef 127.0.0.1 0 testing123 ------- - -Then output should be like this, since the OTP was replayed: - ------- -Sending Access-Request of id 32 to 127.0.0.1 port 1812 - User-Name = "alice" - User-Password = "ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef" - NAS-IP-Address = 127.0.1.1 - NAS-Port = 0 -rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=32, length=20 ------- - -PAM debug log: - ------- -[pam_yubico.c:parse_cfg(404)] called. -[pam_yubico.c:parse_cfg(405)] flags 0 argc 3 -[pam_yubico.c:parse_cfg(407)] argv[0]=id=1 -[pam_yubico.c:parse_cfg(407)] argv[1]=debug -[pam_yubico.c:parse_cfg(407)] argv[2]=authfile=/etc/yubikey_mapping -[pam_yubico.c:parse_cfg(408)] id=1 -[pam_yubico.c:parse_cfg(409)] key=(null) -[pam_yubico.c:parse_cfg(410)] debug=1 -[pam_yubico.c:parse_cfg(411)] alwaysok=0 -[pam_yubico.c:parse_cfg(412)] verbose_otp=0 -[pam_yubico.c:parse_cfg(413)] try_first_pass=0 -[pam_yubico.c:parse_cfg(414)] use_first_pass=0 -[pam_yubico.c:parse_cfg(415)] authfile=/etc/yubikey_mapping -[pam_yubico.c:parse_cfg(416)] ldapserver=(null) -[pam_yubico.c:parse_cfg(417)] ldap_uri=(null) -[pam_yubico.c:parse_cfg(418)] ldapdn=(null) -[pam_yubico.c:parse_cfg(419)] user_attr=(null) -[pam_yubico.c:parse_cfg(420)] yubi_attr=(null) -[pam_yubico.c:pam_sm_authenticate(452)] get user returned: alice -[pam_yubico.c:pam_sm_authenticate(542)] conv returned: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef -[pam_yubico.c:pam_sm_authenticate(558)] OTP: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef ID: ccccccccltnc -[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (2): YubiKey OTP was replayed (REPLAYED_OTP) -[pam_yubico.c:pam_sm_authenticate(625)] done. [Authentication failure] ------- - -FreeRadius debug log: - ------- -rad_recv: Access-Request packet from host 127.0.0.1 port 55170, id=32, length=89 - User-Name = "alice" - User-Password = "ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef" - NAS-IP-Address = 127.0.1.1 - NAS-Port = 0 -+- entering group authorize {...} -++[preprocess] returns ok -++[chap] returns noop -++[mschap] returns noop -[suffix] No '@' in User-Name = "alice", looking up realm NULL -[suffix] No such realm "NULL" -++[suffix] returns noop -[eap] No EAP-Message, not doing EAP -++[eap] returns noop -[files] users: Matched entry DEFAULT at line 204 -++[files] returns ok -++[expiration] returns noop -++[logintime] returns noop -Found Auth-Type = PAM -+- entering group authenticate {...} -pam_pass: using pamauth string for pam.conf lookup -pam_pass: function pam_authenticate FAILED for . Reason: Permission denied -++[pam] returns reject -Failed to authenticate the user. -Using Post-Auth-Type Reject -+- entering group REJECT {...} -[attr_filter.access_reject] expand: %{User-Name} -> alice - attr_filter: Matched entry DEFAULT at line 11 -++[attr_filter.access_reject] returns updated -Delaying reject of request 1 for 1 seconds -Going to the next request -Waking up in 0.5 seconds. -Sending delayed reject for request 1 -Sending Access-Reject of id 32 to 127.0.0.1 port 55170 -Waking up in 4.9 seconds. -Cleaning up request 1 ID 32 with timestamp +66 -Ready to process requests. -------