Difference between revisions of "Google Authenticator"
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
(6 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==Docker== | ==Docker== | ||
<ref>https://github.com/rharmonson/richtech/wiki/Two-Factor-Authentication-using-FreeRADIUS-with-SSSD-(FreeIPA-or-Active-Directory)-and-Google-Authenticator-on-CentOS-7</ref> | <ref>https://github.com/rharmonson/richtech/wiki/Two-Factor-Authentication-using-FreeRADIUS-with-SSSD-(FreeIPA-or-Active-Directory)-and-Google-Authenticator-on-CentOS-7</ref> | ||
− | + | The purpose of this container is to run freeradius with google authenticator pam modules loaded. Taken from a production system that runs freeradius and apache for a full featured solution allowing users to request new codes without bothering IT. | |
===Host Prep=== | ===Host Prep=== | ||
This is not a fully contained solution. I ran into problems with SSS and kerberose authentication into AD. The problem stems from two sides | This is not a fully contained solution. I ran into problems with SSS and kerberose authentication into AD. The problem stems from two sides | ||
Line 20: | Line 20: | ||
===Container build=== | ===Container build=== | ||
I normally work with CentOS while the FreeRadius containers are based on Debian/Ubuntu. So for this we want to build our own image using the following template. This could be made smaller if I would compile the pam module outside the container and simply add it in, but I wanted to compile it the container just for the fun of it. This makes a number of packages unnecessary.<ref>https://axdlog.com/2016/using-google-authenticator-to-set-up-multi-factor-authentication-on-gnu-linux/</ref><ref>https://github.com/Elemental-IRCd/elemental-ircd/issues/100</ref> | I normally work with CentOS while the FreeRadius containers are based on Debian/Ubuntu. So for this we want to build our own image using the following template. This could be made smaller if I would compile the pam module outside the container and simply add it in, but I wanted to compile it the container just for the fun of it. This makes a number of packages unnecessary.<ref>https://axdlog.com/2016/using-google-authenticator-to-set-up-multi-factor-authentication-on-gnu-linux/</ref><ref>https://github.com/Elemental-IRCd/elemental-ircd/issues/100</ref> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
<br> | <br> | ||
<br> | <br> | ||
<pre> | <pre> | ||
− | FROM | + | FROM centos:7.6.1810 |
− | RUN yum upgrade -y | + | RUN yum -y upgrade |
− | RUN yum install -y | + | RUN yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm |
− | + | ##Google Auth Steps | |
− | autoconf dh-autoreconf cmake automake libtool.x86_64 pam-devel | + | RUN yum install -y google-authenticator \ |
+ | git \ | ||
+ | autoconf \ | ||
+ | dh-autoreconf \ | ||
+ | cmake \ | ||
+ | automake \ | ||
+ | libtool.x86_64 \ | ||
+ | pam-devel mailx | ||
RUN git clone https://github.com/google/google-authenticator-libpam.git | RUN git clone https://github.com/google/google-authenticator-libpam.git | ||
RUN cd /google-authenticator-libpam; ./bootstrap.sh | RUN cd /google-authenticator-libpam; ./bootstrap.sh | ||
RUN cd /google-authenticator-libpam; ./configure && make; make install | RUN cd /google-authenticator-libpam; ./configure && make; make install | ||
+ | |||
+ | ##Freeradius steps | ||
+ | RUN yum -y install freeradius \ | ||
+ | freeradius-utils | ||
RUN sed -i 's/user\ =\ radiusd/user\ =\ root/; s/group\ =\ radiusd/group\ =\ root/' /etc/raddb/radiusd.conf | RUN sed -i 's/user\ =\ radiusd/user\ =\ root/; s/group\ =\ radiusd/group\ =\ root/' /etc/raddb/radiusd.conf | ||
RUN sed -i "s/^#\\tpam/\\tpam/" /etc/raddb/sites-enabled/default | RUN sed -i "s/^#\\tpam/\\tpam/" /etc/raddb/sites-enabled/default | ||
RUN ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam | RUN ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam | ||
RUN echo -e " \n\ | RUN echo -e " \n\ | ||
− | client | + | client vcs-vdi-01 { \n\ |
− | secret = | + | secret = your_secret_here\n\ |
− | shortname = | + | shortname = vcs01 \n\ |
− | + | ipaddr = 10.xxx.xxx.0 \n\ | |
+ | netmask = 23 \n\ | ||
} \n\ | } \n\ | ||
" >> /etc/raddb/clients.conf | " >> /etc/raddb/clients.conf | ||
RUN echo "DEFAULT Auth-Type := PAM" >> /etc/raddb/users | RUN echo "DEFAULT Auth-Type := PAM" >> /etc/raddb/users | ||
− | RUN rm -f /etc/pam.d/radiusd; echo -e "auth | + | RUN rm -f /etc/pam.d/radiusd; echo -e "auth required pam_google_authenticator.so\n\ |
account required pam_nologin.so\n\ | account required pam_nologin.so\n\ | ||
− | account include password-auth\n\ | + | account include password-auth\n\ |
− | session include password-auth\n\ | + | session include password-auth\n\ |
" >> /etc/pam.d/radiusd | " >> /etc/pam.d/radiusd | ||
− | RUN | + | |
− | + | ##Kerberos config | |
− | CMD | + | RUN yum -y install krb5-workstation \ |
+ | openldap-clients \ | ||
+ | mysql \ | ||
+ | realmd \ | ||
+ | oddjob \ | ||
+ | oddjob-mkhomedir \ | ||
+ | sssd \ | ||
+ | samba-common-tools && yum clean all | ||
+ | |||
+ | COPY run.sh /run.sh | ||
+ | RUN chmod +x /run.sh | ||
+ | #CMD /run.sh | ||
</pre> | </pre> | ||
Build the image | Build the image | ||
Line 63: | Line 80: | ||
===Start Container=== | ===Start Container=== | ||
− | + | This is old style of binding host kerberos config to container, this is no longer needed but still works. | |
<pre> | <pre> | ||
− | sudo docker run --name radtest -dit -v /var/lib/sss:/var/lib/sss -v /home/ec2-user/ga_codes/home:/home -v /home/ec2-user/ga_scripts:/ga_scripts -v /home/ec2-user/ga_web:/ga_web googleauth2 | + | sudo docker run --name radtest -dit -v /var/lib/sss:/var/lib/sss -v /home/ec2-user/ga_codes/home:/home -v /home/ec2-user/ga_scripts:/ga_scripts -v /home/ec2-user/ga_web:/ga_web -p 1812:1812 googleauth2 |
</pre> | </pre> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− |
Latest revision as of 16:08, 30 March 2022
Docker
[1] The purpose of this container is to run freeradius with google authenticator pam modules loaded. Taken from a production system that runs freeradius and apache for a full featured solution allowing users to request new codes without bothering IT.
Host Prep
This is not a fully contained solution. I ran into problems with SSS and kerberose authentication into AD. The problem stems from two sides
1. The kerberos works out of the secure kernel. Which causes unprivileged containers the inability to access this. [2]
2. Kerberos likes a stable network. Containers tend to jump around and this causes problems.
So I settled on enrolling the host into AD as those are more stable, and because I will be using EC2 instances until I learn the orchastrator in AWS.
- Make sure your DNS solution is configured to resolve the domain you want to authenticate to.
sudo yum -y upgrade sudo yum -y install yum-cron oddjob oddjob-mkhomedir sssd samba-common-tools realmd docker sudo realm join -U <username> <domain>
Container build
I normally work with CentOS while the FreeRadius containers are based on Debian/Ubuntu. So for this we want to build our own image using the following template. This could be made smaller if I would compile the pam module outside the container and simply add it in, but I wanted to compile it the container just for the fun of it. This makes a number of packages unnecessary.[3][4]
FROM centos:7.6.1810 RUN yum -y upgrade RUN yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm ##Google Auth Steps RUN yum install -y google-authenticator \ git \ autoconf \ dh-autoreconf \ cmake \ automake \ libtool.x86_64 \ pam-devel mailx RUN git clone https://github.com/google/google-authenticator-libpam.git RUN cd /google-authenticator-libpam; ./bootstrap.sh RUN cd /google-authenticator-libpam; ./configure && make; make install ##Freeradius steps RUN yum -y install freeradius \ freeradius-utils RUN sed -i 's/user\ =\ radiusd/user\ =\ root/; s/group\ =\ radiusd/group\ =\ root/' /etc/raddb/radiusd.conf RUN sed -i "s/^#\\tpam/\\tpam/" /etc/raddb/sites-enabled/default RUN ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam RUN echo -e " \n\ client vcs-vdi-01 { \n\ secret = your_secret_here\n\ shortname = vcs01 \n\ ipaddr = 10.xxx.xxx.0 \n\ netmask = 23 \n\ } \n\ " >> /etc/raddb/clients.conf RUN echo "DEFAULT Auth-Type := PAM" >> /etc/raddb/users RUN rm -f /etc/pam.d/radiusd; echo -e "auth required pam_google_authenticator.so\n\ account required pam_nologin.so\n\ account include password-auth\n\ session include password-auth\n\ " >> /etc/pam.d/radiusd ##Kerberos config RUN yum -y install krb5-workstation \ openldap-clients \ mysql \ realmd \ oddjob \ oddjob-mkhomedir \ sssd \ samba-common-tools && yum clean all COPY run.sh /run.sh RUN chmod +x /run.sh #CMD /run.sh
Build the image
sudo docker build -t googleauth -f Dockerfile .
Start Container
This is old style of binding host kerberos config to container, this is no longer needed but still works.
sudo docker run --name radtest -dit -v /var/lib/sss:/var/lib/sss -v /home/ec2-user/ga_codes/home:/home -v /home/ec2-user/ga_scripts:/ga_scripts -v /home/ec2-user/ga_web:/ga_web -p 1812:1812 googleauth2
- ↑ https://github.com/rharmonson/richtech/wiki/Two-Factor-Authentication-using-FreeRADIUS-with-SSSD-(FreeIPA-or-Active-Directory)-and-Google-Authenticator-on-CentOS-7
- ↑ https://blog.tomecek.net/post/kerberos-in-a-container/
- ↑ https://axdlog.com/2016/using-google-authenticator-to-set-up-multi-factor-authentication-on-gnu-linux/
- ↑ https://github.com/Elemental-IRCd/elemental-ircd/issues/100