How to secure SSH with two-factor authentication from WiKID

SSH is the work-horse of remote access protocols. Unfortunately, it is also a frequent target for brute-force attacks. Moreover, using the built-in public keys for authentication may not pass muster with auditors.
SSH offers a highly secure channel for remote administration of servers. However, if you face an audit for regulatory or business requirements, such as Visa/Mastercard PCI, you need to be aware of some potential authentication related short-comings that may cause headaches in an audit. For example:
  • There is no way to control which users have public key authorization
  • There is no way to enforce passphrase complexity (or even be sure that one is being used)
  • There is no way to expire a public key
In this document we will show you how to configure SSH for two-factor authentication from WiKID using pam_radius.

Configuring PAM to use pam_radius:

First, you need to install PAM Radius. There is excellent documentation on this at the PAM Radius home page. Depending on your distribution, you might also be able to find a suitable binary. I had no trouble compiling this on Fedora 7:

# ./configure
# make
# make install

Edit /etc/pam.d/sshd to allow Radius authentication:

vi /etc/pam.d/sshd

Go to the second line of the file, hit the Insert key or the i key and insert this line:

auth     sufficient   /lib/security/pam_radius_auth.so

just above this line:

auth     required     pam_stack.so service=system-auth

The “sufficient” tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. Use "Required" to require strong authentication. Because we are only editing the sshd file, it will not affect terminal log-ins. PAM can be very different on different linux variants. Consult the specific documentation for your OS.

Configure pam_radius to use WiKID:

Edit or create your /etc/raddb/server file:

vi /etc/raddb/server

Below the line:

127.0.0.1   secret        1

Add this line:

WiKID_server_ip   shared_secret     1
Finally, I made sure that PublicKey authentication was turned off in /etc/sshd/sshd_config:
PubkeyAuthentication no

Configure a Network Client for the SSH server:

On the WiKID server web-interface, click Network Clients tab and on "Create a new Network Client".

Enter the information requested. For the IP Address, use the IP address of the SSH target server. Select Radius and the domain you want for this SSH server. Click "Add" when you're finished.

On the next page, enter the shared secret you entered in the /etc/raddb/server file of the target server. Do not have to enter any information under "Return Attributes".

Important: From the WiKID terminal or via SSH, you will need to run "wikidctl stop" and then "wikidcl start" to load the new configuration into the WiKID Radius server. (WiKID 2.0 users just run "stop" and "start".)

Testing your SSH setup

Now, ssh to your target server:

ssh user@target_server

When prompted, enter the WiKID one-time password - it should have automatically been pasted to your clip-board so ctrl-v or shift-ins should work. You should be granted access. If not, there a number of logs to consult. First, check /var/log/secure on your target server to see why the user was rejected. You can also check the WiKID radius log at /opt/WiKID/log/radius.log on the WiKID server or through the logs on the WiKIDADmin interface. You can turn debugging on for Radius on the Configuration >> Enable Protocols >> Radius page.

Join our email list
How do I add two-factor auth?

Download a registration-free free eGuide on How to Add Two-factor Authentication to Your Network, complete with examples.

    Thanks for responding so fast! Great service.

    INFOSEC PRO
    SAN DIEGO, USA