Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Centos 7 x86_64 , Rocky Linux 8 (aarch64)
Posts: 196
Rep:
two factor authentication
Hi,
We have around 150 Solaris and Linux servers in two remote datacenters.
Mostly we work by using ssh via site to site vpn connection. To secure it more ,and also a requirement for our audit we need to configure two factor authentication in order to access our servers.
We have around 150 Solaris and Linux servers in two remote datacenters.
Mostly we work by using ssh via site to site vpn connection. To secure it more ,and also a requirement for our audit we need to configure two factor authentication in order to access our servers.
Is there any other/better software base solution to implement two factor authentication.
Looking forwarding for you valuable opinions.
That's a good solution, and I've used it before, but why would you need to? If you've got site-to-site VPN with any kind of decent security, that's pretty secure as is. I could perhaps see changing SSH ports to something other than 22, longer VPN passwords, etc., but c'mon. If this is on your internal network, which a VPN is essentially, it sounds like the auditors are trying to make themselves look valuable.
We are in Payment Card Industry and two factor authentication is the requirement for PCI audit.
I have installed Wikid community edition but now stuck in client authentication.
What problem are you having? I'm more than happy to help out. Is your issue with the token client? or configuring your boxes to talk to the WiKID server?
Distribution: Centos 7 x86_64 , Rocky Linux 8 (aarch64)
Posts: 196
Original Poster
Rep:
Hi nickowen,
Thanks for you reply , currently we are looking its community version.But we are planning to purchase it commercial version. I will be highly apprciate you if you would help me in this regard,so for i have install the athentication server but not able to athenticate client from.For testing I am trying to authenticate a WindowXP box from it through Token client.
Thanks for you reply , currently we are looking its community version.But we are planning to purchase it commercial version. I will be highly apprciate you if you would help me in this regard,so for i have install the athentication server but not able to athenticate client from.For testing I am trying to authenticate a WindowXP box from it through Token client.
ok. You can test to see if you WiKID software token is working by trying to add this domain server code: 888888888888. (under Actions, Create New Domain) If you get a pin prompt, then it should be working.
If it is, then it is probably an error on your server. What domain code do you have? It should be the zero-padded ip address of your server. So, 10.100.0.200 becomes 010100000200. The token needs to be able to route to the server over port 80. (we use public key encryption, so no need for SSL.)
Distribution: Centos 7 x86_64 , Rocky Linux 8 (aarch64)
Posts: 196
Original Poster
Rep:
Thanks nickowen , for your valuable help.
I am able to connect by your giving instruction, in fact earliar I was mentioning wrong domain code.
Now Token client is able to connect at the next screen it give me some passode and timer coutdown from 30 seconds , as picture is annexed.So what the next step to add the client for athentication , How can I use this passcode?
I am able to connect by your giving instruction, in fact earliar I was mentioning wrong domain code.
Now Token client is able to connect at the next screen it give me some passode and timer coutdown from 30 seconds , as picture is annexed.So what the next step to add the client for athentication , How can I use this passcode?
Great. We added a little test page to the server just for this purpose:
It is in /opt/WiKID/tomcat/webapps/WiKIDAdmin/ (as described). Change the default domain server code and the localhost passphrase and browse to the page, which is protected by the WiKIDAdmin creds. You should see html for registering/adding a token, authenticating an OTP, etc.
(This page demos all the functionality of the wAuth protocol/)
If this is working, you will probably want to think about testing this with your servers. It probably would make sense to do this test with the commercial version, which supports radius. You can try using ldap or tacacs (which is supported in pam), but radius is much cleaner. If you're using a commercial vpn, then radius is definitely the way to go.
In both cases, you need to enable the protocol, create a network client and then restart the server. For tacacs, you probably also need to kick of the tacacs listener with:
If you're intention is to go Enterprise, now is a good time to switch. You won't get any benefit testing with tacacs. It's not the best options for ssh. It's fine for switches.
Distribution: Centos 7 x86_64 , Rocky Linux 8 (aarch64)
Posts: 196
Original Poster
Rep:
Thanks for your reply,
I am trying to authenticate a ssh user from Enterprise version.But still not able to do so.
I have install the pam_radius_auth.so module as given link by you.
When I try to login on this system it dispaly this error in log file
Code:
Nov 3 09:01:00 nms-test sshd[8992]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 15178688.
Nov 3 09:01:02 nms-test sshd[8992]: Failed password for ktahir from 192.168.150.3 port 4464 ssh2
Nov 3 09:01:15 nms-test sshd[8993]: Received disconnect from 192.168.150.3: 13: Authentication cancelled by user.
I am not very much sure what parameter need to be set on server side
I have enable radius , network client, created the use but unable to find any password option for that user.
Now when I try to connet to targnet server it fails aunthentication below are the logs
Log of Target server
Code:
Nov 3 21:02:33 nms-test sshd[10692]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 11803584.
Nov 3 21:02:34 nms-test sshd[10692]: Failed password for ktahir from 192.168.150.3 port 1977 ssh2
Log of Wikid Server
Code:
tail -f /opt/WiKID/log/radius.log
NASip is '192.168.150.109'
PAP Request
passcode is 123456
Checking ktahir:123456:192168150110
Check returned false
I am not sure about that passcode ? How to set in on Wikid server?
Now when I try to connet to targnet server it fails aunthentication below are the logs
Log of Target server
Code:
Nov 3 21:02:33 nms-test sshd[10692]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 11803584.
Nov 3 21:02:34 nms-test sshd[10692]: Failed password for ktahir from 192.168.150.3 port 1977 ssh2
Log of Wikid Server
Code:
tail -f /opt/WiKID/log/radius.log
NASip is '192.168.150.109'
PAP Request
passcode is 123456
Checking ktahir:123456:192168150110
Check returned false
I am not sure about that passcode ? How to set in on Wikid server?
The passcode needs to be generated from the token. If you got 123456 from a token, we might need to double-check our random number generator .
But still I am unable to login. Is repeat to ask passwod again and again.
Below is the log of target machine.
Code:
ov 22 01:40:54 alpha sshd[4263]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 13298656.
Nov 22 01:40:54 alpha sshd[4263]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.150.3 user=ktahir
Nov 22 01:40:56 alpha sshd[4263]: Failed password for ktahir from 192.168.150.3 port 4558 ssh2
If the WiKID server is returning true and the target SSH server is not validating the user, then the problem is most likely with your /etc/pam.d/sshd file. Do you have this line:
auth sufficient /lib/security/pam_radius_auth.so
? Post you /etc/pam.d/sshd file and I'll have a look.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.