000034848 - Challenging local Unix and Active Directory users on a Red Hat Enterprise Linux server with two-factor authentication

Document created by RSA Customer Support Employee on Feb 23, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034848
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: RSA Authentication Agent for PAM
RSA Version/Condition: 7.1 Patch 1
Platform: Red Hat Enterprise Linux
 
IssueThe customer has a requirement to challenge local Unix and Active Directory users on a Red Hat Enterprise Linux server with two-factor authentication using SecurID.
ResolutionFirstly, an administrator must configure the Red Hat Enterprise Linux server to interact with a Microsoft Active Directory.  Next, the administrator will need to install and configure the RSA Authentication Agent 7.1 Patch 1 for PAM.
For this example,
  • The domain components for Active Directory are corp.net, 
  • The domain name is CORP, and
  • The Windows computer name for the Active Directory is ad-dns-01.corp.net.
Steps 1 through to 12 allow for the integration of Active Directory allowing Active Directory users to logon and authenticate with Windows passwords. Step 13 references the RSA Authentication Agent 7.1 for PAM Installation and Configuration Guide for Red Hat for the installation and configuration of the RSA Authentication Agent 7.1 Patch 1 for PAM software and provides an example ssh configuration where all users are challenged for a passcode with the exception of root who is challenged for a password.

Steps


  1. Using the Red Hat Enterprise Linux media, install and configure a Red Hat Enterprise Linux server with a graphical user interface and with SELinux disabled.
  2. Installation additional software on the Red Hat Enterprise Linux server (syntax for this command should be on one line):

yum -y install authconfig krb5-workstation pam_krb5 samba-common oddjob-mkhomedir 
sudo ntp nss-pam-ldapd samba-winbind samba-winbind-clients


A Red Hat subscription is required to install the software using yum or setup the Red Hat software DVD as a repository

  1. Start and enable winbind services:

systemctl start winbind
systemctl enable winbind


  1. Configure the winbind and kerbose software (syntax for this command should be on one line):
authconfig --disablecache --enablewinbind --enablewinbindauth --smbsecurity=ads --smbworkgroup=corp --smbrealm=corp.net --enablewinbindusedefaultdomain 
--winbindtemplatehomedir=/home/corp.net/%U --winbindtemplateshell=/bin/bash --enablekrb5 --krb5realm=CORP.NET --enablekrb5kdcdns --enablekrb5realmdns
--enablelocauthorize --enablemkhomedir --enablepamaccess --updateall

  1. Make a copy of /etc/krb5.conf, naming it /etc/krb5.conf.old.
  2. Double check /etc/krb5.conf. The file should have the following contents and where there are differences, update /etc/krb5.conf.  Be careful with edits, as this is a case sensitive file.

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
default_ccache_name = KEYRING:persistent:%{uid}
default_realm = CORP.NET
dns_lookup_kdc = true
[realms]
CORP.NET = {
admin_server = ad-dns-01.corp.net
kdc = ad-dns-01.corp.net
}
corp.net = {
}
[domain_realm]
corp.net = CORP.NET
.corp.net = CORP.NET


  1. Join the Red Hat Enterprise Linux server to the Active Directory domain:

net ads join -U Administrator


  1. Check the domain information:

net ads info


  1. Display Active Directory user information:

wbinfo -u


  1. Create a home directory for the Active Directory users:

mkdir /home/corp.net
chmod 777 /home/corp.net


  1. Preserve the default PAM configuration in the /etc/pam.d/system-auth-ac file:

cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac-SAV


  1. Update the PAM configuration file /etc/pam.d/system-auth-ac to look like what is shown in the example below:

auth required pam_env.so 
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account [default=ignore success=1] pam_succeed_if.so uid < 16777216 quiet
account [default=bad success=ignore] pam_succeed_if.so user ingroup linuxusers quiet
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so


  1. Use an SSH client (such as PuTTY) to test the configuration.
Make sure Active Directory users can authenticate with their Windows password before going to the next step.

  1. Install and configure the RSA Authentication Agent 7.1 Patch 1 for PAM using the RSA Authentication Agent 7.1 for PAM Installation and Configuration Guide for Red Hat.
Below are the /etc/sd_pam.conf, /etc/ssh/sshd_config and /etc/pam.d/sshd files that are configured to challenge local Unix and Active Directory users for a passcode with the exception of root. The root account is only challenged for a password.
 

/etc/sd_pam.conf


Changed to challenge all users with the exception of root


#VAR_ACE ::  the location where the sdconf.rec, sdstatus.12 and securid files will go
# default value is /var/ace
VAR_ACE=/var/ace
#RSATRACELEVEL :: To enable logging in UNIX for securid authentication
#                   :: 0 Disable logging for securid authentication
#                   :: 1 Logs regular messages for securid authentication
#                   :: 2 Logs function entry points for securid authentication
#                   :: 4 Logs function exit points for securid authentication
#                   :: 8 All logic flow controls use this for securid authentication
# NOTE              :: For combinations, add the corresponding values
# default value is 0
RSATRACELEVEL=0
#RSATRACEDEST :: Specify the file path where the logs are to be redirected for securid authentication.
#                   :: If this is not set, by default the logs go to Error output.
RSATRACEDEST=/tmp/PAMagent.log
#ENABLE_USERS_SUPPORT :: 1 to enable; 0 to disable users support
# default value is 0
ENABLE_USERS_SUPPORT=1
#INCL_EXCL_USERS :: 0 exclude users from securid authentication
#                   :: 1 include users for  securid authentication
# default value is 0
INCL_EXCL_USERS=0
#LIST_OF_USERS :: a list of users to include or exclude from SecurID Authentication...Example:
LIST_OF_USERS=root
#PAM_IGNORE_SUPPORT_FOR_USERS :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to user exclusion support
#                   :: 0 to UNIX authenticate a user that is not SecurID authenticated due to user exclusion support
# default value is 0
PAM_IGNORE_SUPPORT_FOR_USERS=0
#ENABLE_GROUP_SUPPORT :: 1 to enable; 0 to disable group support
# default value is 0
ENABLE_GROUP_SUPPORT=0
#INCL_EXCL_GROUPS :: 1 to always prompt the listed groups for securid authentication (include)
#                 :: 0 to never prompt the listed groups for securid authentication (exclude)
# default value is 0
INCL_EXCL_GROUPS=0
#LIST_OF_GROUPS :: a list of groups to include or exclude...Example
LIST_OF_GROUPS=
#PAM_IGNORE_SUPPORT :: 1 to return PAM_IGNORE if a user is not SecurID authenticated due to their group membership
#                   :: 0 to UNIX authenticate a user that is not SecurID authenticated due to their group membership
# default value is 0
PAM_IGNORE_SUPPORT=0
#AUTH_CHALLENGE_USERNAME_STR :: prompt message to ask user for their username/login id
AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
#AUTH_CHALLENGE_RESERVE_REQUEST_STR :: prompt message to ask administrator for their System password
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System Password for root :
#AUTH_CHALLENGE_PASSCODE_STR :: prompt message to ask user for their Passcode
AUTH_CHALLENGE_PASSCODE_STR=Enter PASSCODE :
#AUTH_CHALLENGE_PASSWORD_STR :: prompt message to ask user for their Password
AUTH_CHALLENGE_PASSWORD_STR=Enter your PASSWORD :
#BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS :: 0  Disable retry UNIX authentication after failed login attempt
#                   :: 1  Enable retry UNIX authentication after failed login attempt but treated setting as pow(3, failattempts) sec delay
#                   :: 2  Enable retry UNIX authentication after failed login attempt but treated setting as pow(3, failattempts) sec delay
#                   :: 3  Enable retry UNIX authentication after failed login attempt with pow(3, failattempts) sec delay
#                   :: 4  Enable retry UNIX authentication after failed login attempt with pow(4, failattempts) sec delay
#                   :: 5/Above  Enable retry UNIX authentication after failed login attempt with pow(5/Above, failattempts) sec delay
#                   :: If no BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS setting is present, then  treated as pow(4, failattempts) sec delay
# default value is 4
BACKOFF_TIME_FOR_RSA_EXCLUDED_UNIX_USERS=4


/etc/ssh/sshd_config 


The only changes are as follows:
  • UsePAM (yes)
  • PasswordAuthentication (no)
  • UsePrivilegeSeparation (no) , and 
  • ChallengeResponseAuthentication (yes)
#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
UsePrivilegeSeparation no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server


/etc/pam.d/sshd 


The order in this file is very important
#%PAM-1.0
auth       required     pam_securid.so
# auth     required     pam_sepermit.so
# auth       substack     password-auth
# auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare


  1. As root, restart the sshd service with the following command:
service sshd restart

  1. Use an SSH client such as PuTTY to test the configuration.
NotesCustomers are expected to know how to configure and use Pluggable Authentication Module (PAM) or the customer can contact the vendor of the operating system for further information on PAM configuration and usage.

Attachments

    Outcomes