From f73baeec039cef14d78408603d209ef567bffc0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20Str=C3=A5th?= Date: Fri, 31 Oct 2014 15:55:50 +0100 Subject: [PATCH] Update YubiKey_and_FreeRADIUS_via_PAM.adoc --- doc/YubiKey_and_FreeRADIUS_via_PAM.adoc | 67 ++++++++++--------------- 1 file changed, 26 insertions(+), 41 deletions(-) diff --git a/doc/YubiKey_and_FreeRADIUS_via_PAM.adoc b/doc/YubiKey_and_FreeRADIUS_via_PAM.adoc index 2c4d131..63f3366 100644 --- a/doc/YubiKey_and_FreeRADIUS_via_PAM.adoc +++ b/doc/YubiKey_and_FreeRADIUS_via_PAM.adoc @@ -1,11 +1,9 @@ -Yubico PAM Two-factor configuration guide ------------------------------------------ +== Yubico PAM Two-factor configuration guide == Step by Step Guide for Configuration of Yubico PAM module to provide Two-factor legacy Username + password + YubiKey OTP authentication for RADIUS server. -Introduction ------------- +=== Introduction === The purpose of this document is to guide readers through the configuration steps to enable two factor authentication using YubiKey and RADIUS server on Linux platform. This document assumes that the reader has advance knowledge @@ -19,9 +17,7 @@ authentication or any popular directory service by configuring appropriate PAM modules in radiusd PAM configuration file. -Prerequisites -------------- - +=== Prerequisites === Successful configuration of the Yubico PAM module to support two factor authentication for RADIUS requires following prerequisites: @@ -35,13 +31,10 @@ http://freeradius.org/download.html[FreeRADIUS]:: Version: 1.1.7 or later https://developers.yubico.com/yubico-pam[Yubico PAM Module]:: Version 1.8 -Configuration -------------- +=== Configuration === We assume that FreeRADIUS is already installed on the server. - -Configuration of FreeRADIUS server to support PAM authentication ----------------------------------------------------------------- +==== Configuration of FreeRADIUS server to support PAM authentication ==== * Edit the radiusd configuration file `/etc/raddb/radiusd.conf` to make following changes: @@ -58,22 +51,19 @@ privileges, this is a mandatory step here. * Add sample client for testing in the client configuration file `/etc/raddb/clients.conf`. - * Edit the user configuration file `/etc/raddb/users`, changing `DEFAULT Auth-Type = System` to `DEFAULT Auth-Type = pam` for using PAM modules for user authentication. -Installation of pam_yubico module ----------------------------------- +=== Installation of pam_yubico module === Build instructions for pam_yubico are available in the README. (https://github.com/Yubico/yubico-pam/wiki/ReadMe) -Configuration of pam_yubico module ------------------------------------- +=== Configuration of pam_yubico module === Configuration instructions for pam_yubico are also available in the README. (https://github.com/Yubico/yubico-pam/wiki/ReadMe) @@ -83,8 +73,7 @@ or user level mapping, as this will control which users can connect to the system using RADIUS. -Configuration of modified pam_yubico.so module at administrative level ------------------------------------------------------------------------- +=== Configuration of modified pam_yubico.so module at administrative level === Append the following line to the beginning of /etc/pam.d/radiusd file: @@ -106,16 +95,14 @@ module reports failure. After successful verification of OTP Yubico PAM module from the Yubico authentication server, a success code is returned. -User Level ------------- +==== User Level ==== Although, user level configuration of pam_yubico is possible, this might not be a desired configuration option in case of radisud daemon in most enterprise. -Configuration of selinux policy to create exception for radiusd daemon ------------------------------------------------------------------------ -Local effective selinux policy must be updated to provide sufficient +=== Configuration of SElinux policy to create exception for radiusd daemon === +Local effective SElinux policy must be updated to provide sufficient privileges to radiusd daemon on system resources. Please follow the steps below to configure effective selinux policy for radiusd daemon: @@ -130,7 +117,7 @@ to configure effective selinux policy for radiusd daemon: * We can use audit2allow utility to provide selinux privileges to radiusd by using following sequence of commands: ------- +---- [root@testsrv ~]# audit2allow -m local -l -i /var/log/messages > local.te [root@testsrv ~]# checkmodule -M -m -o local.mod local.te @@ -138,7 +125,7 @@ to configure effective selinux policy for radiusd daemon: [root@testsrv ~]# semodule_package -o local.pp -m local.mod [root@testsrv ~]# semodule -i local.pp ------- +---- For more selinux policy updating information and explanation of above commands please visit the following website: @@ -146,8 +133,7 @@ please visit the following website: http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 -Test Setup ----------- +=== Test Setup === Our test environment is as follows: @@ -156,18 +142,17 @@ FreeRADIUS Server:: FreeRADIUS Version 1.1.7 Yubico PAM:: pam_yubico Version 1.8 /etc/pam.d/radiusd file:: ------- +---- auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session include system-auth ------- +---- -Testing the configuration : ---------------------------- +=== Testing the configuration === We have tested the pam_yubico configuration on following Linux sever platforms: @@ -184,17 +169,17 @@ Fedora 6: * Yubico PAM: pam_yubico Version 1.8 To test the RADIUS two factor authentication with YubiKey, we can use -“radtest” radius client. The command is as follows: +'radtest' radius client. The command is as follows: ------- - [root@testsrv ~]# radtest {username} \ - {password followed by YubiKey generated OTP} \ - {radius-server}:{radius server port} \ - {nas-port-number} \ - {secret/ppphint/nasname} +---- +[root@testsrv ~]# radtest {username} \ + {password followed by YubiKey generated OTP} \ + {radius-server}:{radius server port} \ + {nas-port-number} \ + {secret/ppphint/nasname} - [root@testsrv ~]# radtest test test123vrkvit...bekkjc 127.0.0.1 0 testing123 ------- +[root@testsrv ~]# radtest test test123vrkvit...bekkjc 127.0.0.1 0 testing123 +---- NOTE: