How to configure sudo for two-factor authentication

Bare Metal Servers and Cloud Server Hosting

InetServices offers both Windows and Linux bare metal server hosting, and cloud server hosting for any small to medium size business. We also offer both PCI and HIPAA Compliant servers allowing you to achieve PCI or HIPAA Compliance without all the worries of figuring it out. InetServices offers much more than just dedicated servers and cloud servers, we offer you a complete solution to your hosting needs including Big Data, Disaster Recovery, and High Availability services.

Configure sudo on Centos/RHEL for two-factor authentication

We will start on RHEL/Centos 7. Install the pre-requisites:

sudo yum -y install make gcc pam pam-devel

Get the latest PAM RADIUS code (1.4 as of this writing):

wget ftp://ftp.freeradius.org/pub/radius/pam_radius-x.x.x.tar.gz

Build the library:

tar -xzvf pam-radius-x.x.x.tar.gz
cd pam-radius-x.x.x
sudo ./configure
sudo make

Copy the library to the proper location:

cp pam_radius_auth.so /lib/security/

Or for 64bit:

cp pam_radius_auth.so /lib64/security/

Create the configuration directory and copy the configuration file under the name ‘server’:

sudo mkdir /etc/raddb
cp pam_radius_auth.conf /etc/raddb/server

Edit /etc/raddb/server and add your radius server IP and the shared secret to this file.

# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
radius_server_IP    secret             3
#
# having localhost in your radius configuration is a Good Thing.

(Note that while we want the radius in the loop eventually, you can also user your WiKID server as the radius server, add this Centos box as a network client on WiKID, restart WiKID and be done or at least you can test this way. It’s always a good idea to do some small tests along the way, just be sure to remove them.)

Next, we need to tell sudo to use radius. Edit the file /etc/pam.d/sudo and replace “auth include system-auth” with:

auth       required      pam_radius_auth.so

That’s it for the Centos/RHEL 7 box. The same setup work for 5 and 6 too.

Configure sudo on Ubuntu for two-factor authentication

Next up is the Ubuntu 14.04 server. First, install pam-radius:

sudo apt-get install libpam-radius-auth

Configure it with the NPS server as well by editing /etc/pam_radius_auth.conf. So that it is the same as above:

# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
radius_server_IP   secret             3
#
# having localhost in your radius configuration is a Good Thing.

Edit your /etc/pam.d/sudo file and add the line ‘ auth sufficient pam_radius_auth.so’ above the comm-auth line:

auth       required   pam_env.so readenv=1 user_readenv=0
auth       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
auth sufficient pam_radius_auth.so
@include common-auth
@include common-account
@include common-session-noninteractive

That’s is for the Ubuntu server.

Now, anytime an admin attempts to use sudo, they must enter their one-time passcode. PAM will forward the username and OTP to your radius server or your WiKID server for validation.

Bare Metal Servers and Cloud Server Hosting

How to configure sudo for two-factor authentication
Home / Linux / How to configure sudo for two-factor authentication

Configure sudo on Centos/RHEL for two-factor authentication

Configure sudo on Ubuntu for two-factor authentication

Leave a Reply Cancel reply