DualShield for Implementation Guide (Version 5.4) Copyright 2012 Deepnet Security Limited Copyright 2012, Deepnet Security. All Rights Reserved. Page 1
Trademarks Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID, SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp are trademarks of Deepnet Security Limited. All other brand names and product names are trademarks or registered trademarks of their respective owners. Copyrights Under the international copyright law, neither the Deepnet Security software or documentation may be copied, reproduced, translated or reduced to any electronic medium or machine readable form, in whole or in part, without the prior written consent of Deepnet Security. Licence Conditions Please read your licence agreement with Deepnet carefully and make sure you understand the exact terms of usage. In particular, for which projects, on which platforms and at which sites, you are allowed to use the product. You are not allowed to make any modifications to the product. If you feel the need for any modifications, please contact Deepnet Security. Disclaimer This document is provided as is without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the document. Deepnet Security may make improvements of and/or changes to the product described in this document at any time. Contact If you wish to obtain further information on this product or any other Deepnet Security products, you are always welcome to contact us. Deepnet Security Limited Northway House 1379 High Road London N20 9LP United Kingdom Tel: +44(0)20 8343 9663 Fax: +44(0)20 8446 3182 Web: www.deepnetsecurity.com Email: support@deepnetsecurity.com Copyright 2012, Deepnet Security. All Rights Reserved. Page 2
Table of Contents Overview... 4 RedHat Fedora - CentOS... 5 Installation... 5 Configuration... 5 Ubuntu... 6 Installation... 6 Configuration... 6 Compile & Install module manually... 7 Troubleshooting... 8 Copyright 2012, Deepnet Security. All Rights Reserved. Page 3
Overview DualShield can be easily added to any Linux and Unix system to protect remote or local logins with two-factor authentication via the module. Due to the limitations in RADIUS authentication protocol, only one-time password (OTP) based authentication methods are supported. DualShield provides a wide selection of portable OTP tokens in a variety of form factors, ranging from hardware tokens, software tokens, mobile tokens to USB tokens. These include: Deepnet SafeID Deepnet MobileID Deepnet GridID Deepnet CryptoKey RSA SecurID VASCO DigiPass Go OATH-compliant OTP tokens In addition to the support of one-time password, DualShield also supports on-demand password for VPN authentication. The product that provides on-demand password in the DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less strong authentication that delivers logon passwords via SMS texts, phone calls, twitter direct messages or email messages. The complete solution consists of the following components: DualShield Authentication Server DualShield Radius Server module For the general instructions of installation and configuration of the DualShield Authentication Server, please refer to the following documents: DualShield Unified Authentication Platform Installation Guide DualShield Unified Authentication Platform Quick Start Guide DualShield Unified Authentication Platform Administration Guide For the general instructions of installation and configuration of the DualShield RADIUS Server, please refer to the following documents: VPN & RADIUS - Implementation Guide Copyright 2012, Deepnet Security. All Rights Reserved. Page 4
RedHat Fedora - CentOS Installation To install the module on RedHat, Fedora or CentOS, run the command below: $ sudo yum install pam_radius Configuration Once the module has been successfully installed, you will need to edit the file: /etc/pam_radius.conf $ sudo vi /etc/pam_radius.conf Modify the line below: other-server other-secret 3 Change other-server to the IP address of your DualShield RADIUS server, othersecret to the shared secret. Now, the configuration of the module is done. To enable the module for an application, you need to edit the configuration file in the /etc/pam.d directory. For examples, to protect the GDM (GNOME Display Manager) GUI login, you need to edit the file /etc/pam.d/gdm-password. To protect the SSH login, you need to edit the file /etc/pam.d/sshd. 1. open the configuration file /etc/pam.d/gdm-password or /etc/pam.d/sshd, in a text editor 2. locate the line below: auth substack password-auth 3. insert the line below: auth sufficient pam_radius_auth.so i.e. auth sufficient pam_radius_auth.so auth substack password-auth Copyright 2012, Deepnet Security. All Rights Reserved. Page 5
Ubuntu Installation To install the module on Ubuntu, run the command below: $ sudo apt-get install libpam-radius-auth Configuration Once the module has been successfully installed, you will need to edit the file: /etc/pam_radius_auth.conf $ sudo vim /etc/pam_radius_auth.conf Change other-server to the IP address of your DualShield RADIUS server, othersecret to the shared secret. Now, the configuration of the module is done. To enable the module for an application, you need to edit the configuration file in the /etc/pam.d directory. For examples, to protect the GDM (GNOME Display Manager) GUI login, you need to edit the file /etc/pam.d/gdm-password. To protect the SSH login, you need to edit the file /etc/pam.d/sshd. 1. open the configuration file /etc/pam.d/gdm-password or /etc/pam.d/sshd, in a text editor 2. locate the line below: # Standard Un*x authentication. @include common-auth 3. insert the line below: auth sufficient pam_radius_auth.so i.e. auth sufficient pam_radius_auth.so # Standard Un*x authentication. @include common-auth Copyright 2012, Deepnet Security. All Rights Reserved. Page 6
Compile & Install module manually If you have to manually compile the module for your Linux or Unix system, follow the instructions below: 1. Download Download latest source code from http://freeradius.org/pam_radius_auth/ 2. Build Extract and build it $ tar -zxvf pam_radius-1.3.17.tar.gz $ cd pam_radius-1.3.17 $ make 3. Install Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so or /lib64/ security/pam_radius_auth.so if you are using 64-bit linux $ sudo cp pam_radius_auth.so /lib/security/ 4. Configuration The configuration of the module is similar on all Linux distributions. Please refer to previous examples. Copyright 2012, Deepnet Security. All Rights Reserved. Page 7
Troubleshooting 1. If SELinux is enforced, with some old selinux versions, when you enable pam_radius_auth for SSH login, selinux may block the sshd from binding udp port. To work around it: https://bugzilla.redhat.com/show_bug.cgi?id=647043 Create a file named mysshd.te with the content below: policy_module(mysshd, 1.0) gen_require(` ') type sshd_t; corenet_udp_bind_all_unreserved_ports(sshd_t) Then execute the following commands $ make -f /usr/share/selinux/devel/makefile $ semodule -i mysshd.pp 2. Check the log file is always helpful: $ sudo tail -f /var/log/auth.log or $ sudo tail -f /var/log/messages 3. You can also enable the debug log for pam_radius_auto.so, for example: auth sufficient pam_radius_auth.so debug 4. It is possible to use different configuration file for pam_radius_auto.so, e.g. auth sufficient pam_radius_auth.so debug conf=/etc/raddb/server Copyright 2012, Deepnet Security. All Rights Reserved. Page 8