Configure sudo on Centos/RHEL for two-factor authentication

We will start on RHEL/Centos 7.   Install the pre-requisites:

sudo yum -y install make gcc pam pam-devel

Get the latest PAM RADIUS code (1.4 as of this writing):

wget ftp://ftp.freeradius.org/pub/radius/pam_radius-x.x.x.tar.gz

Build the library:

tar -xzvf pam-radius-x.x.x.tar.gz
cd pam-radius-x.x.x
sudo ./configure
sudo make

Copy the library to the proper location:

cp pam_radius_auth.so /lib/security/

Or for 64bit:

cp pam_radius_auth.so /lib64/security/

Create the configuration directory and copy the configuration file under the name ‘server’:

sudo mkdir /etc/raddb
cp pam_radius_auth.conf /etc/raddb/server

Edit /etc/raddb/server and add your radius server IP and the shared secret to this file.

# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
radius_server_IP    secret             3
#
# having localhost in your radius configuration is a Good Thing.

(Note that while we want the radius in the loop eventually, you can also user your WiKID server as the radius server, add this Centos box as a network client on WiKID, restart WiKID and be done or at least you can test this way.  It’s always a good idea to do some small tests along the way, just be sure to remove them.)

Next, we need to tell sudo to use radius.  Edit the file /etc/pam.d/sudo and replace “auth       include      system-auth” with:

auth       required      pam_radius_auth.so

That’s it for the Centos/RHEL 7 box.  The same setup work for 5 and 6 too.

Configure sudo on Ubuntu for two-factor authentication

Next up is the Ubuntu 14.04 server.  First, install pam-radius:

sudo apt-get install libpam-radius-auth

Configure it with the NPS server as well by editing /etc/pam_radius_auth.conf.  So that it is the same as above:

# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
radius_server_IP   secret             3
#
# having localhost in your radius configuration is a Good Thing.

Edit your /etc/pam.d/sudo file and add the line ‘ auth sufficient pam_radius_auth.so’ above the comm-auth line:

auth       required   pam_env.so readenv=1 user_readenv=0
auth       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
auth sufficient pam_radius_auth.so
@include common-auth
@include common-account
@include common-session-noninteractive

That’s is for the Ubuntu server.

Now, anytime an admin attempts to use sudo, they must enter their one-time passcode.   PAM will forward the username and OTP to your radius server or your WiKID server for validation.

Leave a Reply

Your email address will not be published. Required fields are marked *