How to configure two-factor authentication using sudo in Linux
To configure two-factor authentication using sudo in Linux
Two-factor authentication is used to reduce infiltration. In this tutorial we will learn how to add radius to sudo for Centos 7 or Ubuntu 16.04. It is made more robust with the help of WIKID Strong Authentication server. Pam-radius authorization is done in the root folder and then the authentication is done separately in the two-factor authentication server.
To configure sudo on CentOS
Utilise the following command to install the dependencies.
[root@linuxhelp ~]# yum install make gcc pam pam-devel -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirror.nbrc.ac.in
* extras: mirror.nbrc.ac.in
* updates: mirror.nbrc.ac.in
Resolving Dependencies
--> Running transaction check
---> Package gcc.x86_64 0:4.8.5-4.el7 will be installed
--> Processing Dependency: libgomp = 4.8.5-4.el7 for package: gcc-4.8.5-4.el7.x86_64
--> Processing Dependency: cpp = 4.8.5-4.el7 for package: gcc-4.8.5-4.el7.x86_64
--> Processing Dependency: libgcc > = 4.8.5-4.el7 for package: gcc-4.8.5-4.el7.x86_64
--> Processing Dependency: glibc-devel > = 2.2.90-12 for package: gcc-4.8.5-4.el7.x86_64
--> Processing Dependency: libmpc.so.3()(64bit) for package: gcc-4.8.5-4.el7.x86_64
---> Package pam.x86_64 0:1.1.8-9.el7 will be updated
---> Package pam.x86_64 0:1.1.8-12.el7_1.1 will be an update
---> Package pam-devel.x86_64 0:1.1.8-12.el7_1.1 will be installed
--> Running transaction check
---> Package cpp.x86_64 0:4.8.5-4.el7 will be installed
.
.
.
Installed:
gcc.x86_64 0:4.8.5-4.el7 pam-devel.x86_64 0:1.1.8-12.el7_1.1
Dependency Installed:
cpp.x86_64 0:4.8.5-4.el7 glibc-devel.x86_64 0:2.17-106.el7_2.6 glibc-headers.x86_64 0:2.17-106.el7_2.6
kernel-headers.x86_64 0:3.10.0-327.22.2.el7 libmpc.x86_64 0:1.0.1-3.el7
Updated:
pam.x86_64 0:1.1.8-12.el7_1.1
Dependency Updated:
glibc.x86_64 0:2.17-106.el7_2.6 glibc-common.x86_64 0:2.17-106.el7_2.6 libgcc.x86_64 0:4.8.5-4.el7
libgomp.x86_64 0:4.8.5-4.el7
Complete!
Run the following command to download the latest pam radius code.
[root@linuxhelp ~]# wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz
--2016-07-29 06:14:52-- ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz
=> ‘ pam_radius-1.4.0.tar.gz’
Resolving ftp.freeradius.org (ftp.freeradius.org)... 62.210.29.29
Connecting to ftp.freeradius.org (ftp.freeradius.org)|62.210.29.29|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD (1) /pub/radius ... done.
==> SIZE pam_radius-1.4.0.tar.gz ... 179458
==> PASV ... done. ==> RETR pam_radius-1.4.0.tar.gz ... done.
Length: 179458 (175K) (unauthoritative)
100%[=======================================================================================> ] 179,458 139KB/s in 1.3s
2016-07-29 06:14:56 (139 KB/s) - ‘ pam_radius-1.4.0.tar.gz’ saved [179458]
Extract the downloaded file by using the following command.
[root@linuxhelp ~]# tar -xzvf pam_radius-1.4.0.tar.gz
pam_radius-1.4.0/
pam_radius-1.4.0/.gitignore
pam_radius-1.4.0/.travis.yml
pam_radius-1.4.0/Changelog
pam_radius-1.4.0/INSTALL
pam_radius-1.4.0/LICENSE
pam_radius-1.4.0/Makefile
pam_radius-1.4.0/README.rst
.
.
.
pam_radius-1.4.0/pamsymbols.ver
pam_radius-1.4.0/src/
pam_radius-1.4.0/src/config.h.in
pam_radius-1.4.0/src/md5.c
pam_radius-1.4.0/src/md5.h
pam_radius-1.4.0/src/pam_radius_auth.c
pam_radius-1.4.0/src/pam_radius_auth.h
pam_radius-1.4.0/src/radius.h
Run the following command to install pam radius.
[root@linuxhelp ~]# cd pam_radius-1.4.0/
[root@linuxhelp pam_radius-1.4.0]# ./configure
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for g++... no
.
.
.
checking for struct in6_addr... yes
checking whether byte ordering is bigendian... (cached) no
checking for an ANSI C-conforming const... yes
checking for the compiler flag " -Wdocumentation" ... no
checking if building with -DNDEBUG... no
configure: creating ./config.status
config.status: creating src/config.h
[root@linuxhelp pam_radius-1.4.0]# make
cc -Wall -fPIC -c src/pam_radius_auth.c -o pam_radius_auth.o
src/pam_radius_auth.c: In function ‘ pam_private_session’ :
src/pam_radius_auth.c:1300:6: warning: variable ‘ ctrl’ set but not used [-Wunused-but-set-variable]
int ctrl
^
cc -Wall -fPIC -c src/md5.c -o md5.o
cc -shared pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so
Clone the library to the /lib64/security/ path.
[root@linuxhelp pam_radius-1.4.0]# cp pam_radius_auth.so /lib64/security/
In configuration directory, create the server directory and copy the file into it.
[root@linuxhelp pam_radius-1.4.0]# mkdir /etc/raddb/server
[root@linuxhelp pam_radius-1.4.0]# cp pam_radius_auth.conf /etc/raddb/server
Open the server folder, add the server IP and shared secret into it.
[root@linuxhelp pam_radius-1.4.0]# nano /etc/raddb/server
# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
radius_server_IP secret 3
Edit the file sudo as shown below, to allow it to use radius.
[root@linuxhelp pam_radius-1.4.0]# nano /etc/pam.d/sudo
auth required pam_radius_auth.so
To configure sudo on Ubuntu
Run the following command to install pam radius.
root@linuxhelp:~# apt-get install libpam-radius-auth -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
radius-server
The following NEW packages will be installed:
libpam-radius-auth
0 upgraded, 1 newly installed, 0 to remove and 338 not upgraded.
Need to get 25.9 kB of archives.
After this operation, 101 kB of additional disk space will be used.
.
.
.
Fetched 25.9 kB in 1s (24.0 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libpam-radius-auth.
(Reading database ... 172193 files and directories currently installed.)
Preparing to unpack .../libpam-radius-auth_1.3.17-0ubuntu4_amd64.deb ...
Unpacking libpam-radius-auth (1.3.17-0ubuntu4) ...
Setting up libpam-radius-auth (1.3.17-0ubuntu4) ...
Open the configuration file, set the IP and Shared secret by using the following command.
root@linuxhelp:~# nano /etc/pam_radius_auth.conf
# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
radius_server_IP secret 3
#
Open the sudo file and add the following line into it.
root@linuxhelp:~# nano /etc/pam.d/sudo
auth sufficient pam_radius_auth.so
Thus configuring the two-factor authentication for Ubuntu is completed with three simple steps.
Tag :
Sudo
Q
Where i need to put the pam radius configuration file while configuring two-factor authentication using sudo in Linux?
A
You can drop the configuration file on the /etc locatoin while configuring two-factor authentication using sudo in Linux
Q
How to trigger the installation of pam radius while configuring two-factor authentication using sudo in Linux?
A
Run the following command to start installing pam radius while configuring two-factor authentication using sudo in Linux.
#cd pam_radius-1.4.0/
.#/configure
Navigate into folder and configure as follows
#cd pam_radius-1.4.0/
.#/configure
Navigate into folder and configure as follows
Q
What are the dependencies required for configuring two-factor authentication using sudo in Linux?
A
The following dependencies required for configuring two-factor authentication using sudo in Linux
make
gcc
pam
pam-devel
make
gcc
pam
pam-devel
Q
How to resolve Compliling error on configure two-factor authentication using sudo in Linux?
A
Make sure all the dependent packages are installed successfully for two-factor authentication using sudo in Linux
Q
How to fix "gcc required". error while configuring two-factor authentication using sudo in Linux
A
Install gcc compiler also verify whether it is crashed If crashed remove and reinstall gcc compiler while onfiguring two-factor authentication using sudo in Linux