Difference between revisions of "Google Authenticator"

From Michael's Information Zone
Jump to navigation Jump to search
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Purpose==
 
 
 
==Docker==
 
==Docker==
 
<ref>https://github.com/rharmonson/richtech/wiki/Two-Factor-Authentication-using-FreeRADIUS-with-SSSD-(FreeIPA-or-Active-Directory)-and-Google-Authenticator-on-CentOS-7</ref>
 
<ref>https://github.com/rharmonson/richtech/wiki/Two-Factor-Authentication-using-FreeRADIUS-with-SSSD-(FreeIPA-or-Active-Directory)-and-Google-Authenticator-on-CentOS-7</ref>
I do not understand the relationship between FreeRADIUS, PAM, Google Authenticator, and SSS as much as I should. This took me several days trying to work this out until I found the referenced instructions on GitHub. Thankfully I was able to get a test container working, so now I just need to PROPERLY record the steps I took. Gong back to what I had in 2016 was not sufficient.
+
The purpose of this container is to run freeradius with google authenticator pam modules loaded. Taken from a production system that runs freeradius and apache for a full featured solution allowing users to request new codes without bothering IT.
 
===Host Prep===
 
===Host Prep===
 
This is not a fully contained solution. I ran into problems with SSS and kerberose authentication into AD. The problem stems from two sides
 
This is not a fully contained solution. I ran into problems with SSS and kerberose authentication into AD. The problem stems from two sides
Line 14: Line 12:
 
<br>
 
<br>
 
So I settled on enrolling the host into AD as those are more stable, and because I will be using EC2 instances until I learn the orchastrator in AWS.
 
So I settled on enrolling the host into AD as those are more stable, and because I will be using EC2 instances until I learn the orchastrator in AWS.
 
+
*Make sure your DNS solution is configured to resolve the domain you want to authenticate to.
==CentOS 7==
 
<ref>https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-14-04</ref>
 
<ref>http://freeradius.1045715.n5.nabble.com/Defining-an-Auth-Type-based-on-a-realm-td3208012.html</ref>
 
<ref>http://stackoverflow.com/questions/19021487/freeradius-google-dual-factor-authenticator-pam</ref>
 
<ref>http://lists.freeradius.org/pipermail/freeradius-users/2010-May/046799.html</ref>
 
<ref>http://www.supertechguy.com/help/security/freeradius-google-auth</ref>
 
<ref>http://wiki.freeradius.org/guide/Basic-configuration-HOWTO</ref>
 
<br>
 
*<b>UPDATE 1 :</b> Ran into an issue following VMWare's outdated instructions. Will have to go back and find out what has changed.
 
*<b>UPDATE 2 :</b> I believe I have found the problem, and it would be the use of the pam_lsass.so module. It was starring me straight in the face and I missed it. I have not given up on this but I did quickly realize that I would be the only one in the company that would know how any of this works. <s>Not worth it.</s>
 
*<b>UPDATE 3 :</b> This is still a live project and will be completed in the next week or two. Have to deal with other projects first.
 
*<b>UPDATE 4:</b> When I did decided to go back and make the required changes I found a site<ref>https://github.com/rharmonson/richtech/wiki/CentOS-7-Minimal-&-Two-factor-Authentication-using-FreeRADIUS-3,-SSSD-1.12,-&-Google-Authenticator</ref> that outlines everything I had debugged. It also showed I was right about the PAM modules. At least I know I learned something correctly. Next step is to go back over the steps and create an installation script.
 
<ref>https://www.linuxsysadmintutorials.com/setup-sudo-with-google-authenticator-for-2-factor-authentication-on-centos-7.html</ref>
 
 
 
yum install -y git autoconf automake make libtool pam-devel
 
<s> nano /etc/yum.repos.d/pbis.repo
 
 
<pre>
 
<pre>
[PBISO]
+
sudo yum -y upgrade
name=PBISO
+
sudo yum -y install yum-cron oddjob oddjob-mkhomedir sssd samba-common-tools realmd docker
baseurl=http://repo.pbis.beyondtrust.com/yum/pbiso/$basearch
+
sudo realm join -U <username> <domain>
enabled=1
 
gpgcheck=0
 
 
</pre>
 
</pre>
yum -y install pbis-open</s>
+
===Container build===
git clone https://github.com/google/google-authenticator
+
I normally work with CentOS while the FreeRadius containers are based on Debian/Ubuntu. So for this we want to build our own image using the following template. This could be made smaller if I would compile the pam module outside the container and simply add it in, but I wanted to compile it the container just for the fun of it. This makes a number of packages unnecessary.<ref>https://axdlog.com/2016/using-google-authenticator-to-set-up-multi-factor-authentication-on-gnu-linux/</ref><ref>https://github.com/Elemental-IRCd/elemental-ircd/issues/100</ref>
cd google-authenticator/libpam
+
<br>
./bootstrap.sh
+
<br>
./configure
 
./make
 
./make install
 
ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so
 
yum install freeradius
 
ln -s /etc/raddb/mods-enabled/pam /etc/raddb/mods-available/pam
 
sed -i 's/user = freerad/user = root/' /etc/raddb/radiusd.conf
 
sed -i 's/group = freerad/group - root/' /etc/raddb/radiusd.conf
 
nano /etc/raddb/users
 
<pre>
 
DEFAULT Group == “GG_S_GOOGLE_AUTH_DISABLED”, Auth-Type := Reject
 
Reply-Message = “Your account has been disabled.”
 
DEFAULT Auth-Type := PAM
 
</pre>
 
sed -i "s/^#\\tpam/\\tpam/" /etc/raddb/sites-enabled/default
 
Comment out all lines in /etc/pam.d/radiusd then add the following
 
echo "auth requisite pam_google_authenticator.so forward_pass" >> /etc/pam.d/radiusd
 
echo "auth required pam_sss.so use_first_pass" >> /etc/pam.d/radiusd
 
 
 
==Ubuntu 16.04 LTS==
 
*<b>UPDATE :</b> I have little interest in finishing the Ubuntu install instructions. This is incomplete and some of the steps are wrong. I am leaving it here for reference only
 
<ref>https://community.spiceworks.com/how_to/80336-join-ubuntu-14-04lts-to-a-windows-domain-using-pbis-open</ref><br>
 
 
 
sudo wget http://download.beyondtrust.com/PBISO/8.0.1/linux.deb.x64/pbis-open-8.0.1.2029.linux.x86_64.deb.sh
 
git clone https://github.com/google/google-authenticator
 
cd google-authenticator/libpam/
 
sudo apt install dh-autoreconf
 
sudo ./bootstrap.sh
 
./configure
 
sudo make
 
sudo make install
 
sudo apt install freeradius
 
sudo sed -i 's/^user\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf
 
sudo sed -i 's/^group\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf
 
sudo nano /etc/freeradius/users
 
 
<pre>
 
<pre>
#
+
FROM centos:7.6.1810
# Deny access for a group of users.
+
RUN yum -y upgrade
#
+
RUN yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# Note that there is NO 'Fall-Through' attribute, so the user will not
+
##Google Auth Steps
# be given any additional resources.
+
RUN yum install -y google-authenticator \
#
+
        git \
#DEFAULT        Group == "disabled", Auth-Type := Reject
+
        autoconf \
#              Reply-Message = "Your account has been disabled."
+
        dh-autoreconf \
#
+
        cmake \
DEFAULT Group == “CSP-VMWare.GoogleAuth”, Auth-Type := Reject
+
        automake \
Reply-Message = “Your account has been disabled.
+
        libtool.x86_64 \
DEFAULT Auth-Type := PAM
+
        pam-devel mailx
 +
RUN git clone https://github.com/google/google-authenticator-libpam.git
 +
RUN cd /google-authenticator-libpam; ./bootstrap.sh
 +
RUN cd /google-authenticator-libpam; ./configure && make; make install
  
#
+
##Freeradius steps
</pre>
+
RUN yum -y install freeradius \
sudo sed -i 's/^#\ \ \ \ \ \ \ pam/\ \ \ \ \ \ \ \ pam/' /etc/freeradius/sites-enabled/default
+
        freeradius-utils
sudo nano /etc/pam.d/radiusd
+
RUN sed -i 's/user\ =\ radiusd/user\ =\ root/; s/group\ =\ radiusd/group\ =\ root/' /etc/raddb/radiusd.conf
<pre>
+
RUN sed -i "s/^#\\tpam/\\tpam/" /etc/raddb/sites-enabled/default
#
+
RUN ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam
# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
+
RUN echo -e " \n\
#
+
client vcs-vdi-01 { \n\
 +
        secret          = your_secret_here\n\
 +
        shortname      = vcs01 \n\
 +
        ipaddr          = 10.xxx.xxx.0 \n\
 +
        netmask        = 23 \n\
 +
} \n\
 +
" >> /etc/raddb/clients.conf
 +
RUN echo "DEFAULT Auth-Type := PAM" >> /etc/raddb/users
 +
RUN rm -f /etc/pam.d/radiusd; echo -e "auth      required    pam_google_authenticator.so\n\
 +
account    required    pam_nologin.so\n\
 +
account    include      password-auth\n\
 +
session    include      password-auth\n\
 +
" >> /etc/pam.d/radiusd
  
# We fall back to the system default in /etc/pam.d/common-*
+
##Kerberos config
#
+
RUN yum -y install krb5-workstation \
 +
        openldap-clients \
 +
        mysql \
 +
        realmd \
 +
        oddjob \
 +
        oddjob-mkhomedir \
 +
        sssd \
 +
        samba-common-tools && yum clean all
  
#@include common-auth
+
COPY run.sh /run.sh
#@include common-account
+
RUN chmod +x /run.sh
#@include common-password
+
#CMD /run.sh
#@include common-session
 
auth requisite pam_google_authenticator.so forward_pass
 
auth required pam_lsass.so use_first_pass
 
 
</pre>
 
</pre>
sudo systemctl start freeradius
+
Build the image
sudo nano /etc/freeradius/clients.conf
 
*Modify the following to match your environment
 
 
<pre>
 
<pre>
#client some.host.org {
+
sudo docker build -t googleauth -f Dockerfile .
#      secret          = testing123
 
#      shortname      = localhost
 
#}
 
 
</pre>
 
</pre>
ie
+
 
 +
===Start Container===
 +
This is old style of binding host kerberos config to container, this is no longer needed but still works.
 
<pre>
 
<pre>
client vcs-vdi-my.domain.com {
+
sudo docker run --name radtest -dit -v /var/lib/sss:/var/lib/sss -v /home/ec2-user/ga_codes/home:/home -v /home/ec2-user/ga_scripts:/ga_scripts -v /home/ec2-user/ga_web:/ga_web -p 1812:1812  googleauth2
      secret          = Imadeasecret!
 
      shortname      = vcs
 
}
 
 
</pre>
 
</pre>
sudo nano /etc/freeradius/proxy.conf
 
realm your.domain.com {
 
}
 
 
sudo systemctl restart freeradius
 

Latest revision as of 16:08, 30 March 2022

Docker

[1] The purpose of this container is to run freeradius with google authenticator pam modules loaded. Taken from a production system that runs freeradius and apache for a full featured solution allowing users to request new codes without bothering IT.

Host Prep

This is not a fully contained solution. I ran into problems with SSS and kerberose authentication into AD. The problem stems from two sides

1. The kerberos works out of the secure kernel. Which causes unprivileged containers the inability to access this. [2]
2. Kerberos likes a stable network. Containers tend to jump around and this causes problems.

So I settled on enrolling the host into AD as those are more stable, and because I will be using EC2 instances until I learn the orchastrator in AWS.

  • Make sure your DNS solution is configured to resolve the domain you want to authenticate to.
sudo yum -y upgrade
sudo yum -y install yum-cron oddjob oddjob-mkhomedir sssd samba-common-tools realmd docker
sudo realm join -U <username> <domain>

Container build

I normally work with CentOS while the FreeRadius containers are based on Debian/Ubuntu. So for this we want to build our own image using the following template. This could be made smaller if I would compile the pam module outside the container and simply add it in, but I wanted to compile it the container just for the fun of it. This makes a number of packages unnecessary.[3][4]

FROM centos:7.6.1810
RUN yum -y upgrade
RUN yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
##Google Auth Steps
RUN yum install -y google-authenticator \
        git \
        autoconf \
        dh-autoreconf \
        cmake \
        automake \
        libtool.x86_64 \
        pam-devel mailx
RUN git clone https://github.com/google/google-authenticator-libpam.git
RUN cd /google-authenticator-libpam; ./bootstrap.sh
RUN cd /google-authenticator-libpam; ./configure && make; make install

##Freeradius steps
RUN yum -y install freeradius \
        freeradius-utils
RUN sed -i 's/user\ =\ radiusd/user\ =\ root/; s/group\ =\ radiusd/group\ =\ root/' /etc/raddb/radiusd.conf
RUN sed -i "s/^#\\tpam/\\tpam/" /etc/raddb/sites-enabled/default
RUN ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam
RUN echo -e " \n\
client vcs-vdi-01 { \n\
        secret          = your_secret_here\n\
        shortname       = vcs01 \n\
        ipaddr          = 10.xxx.xxx.0 \n\
        netmask         = 23 \n\
} \n\
" >> /etc/raddb/clients.conf
RUN echo "DEFAULT Auth-Type := PAM" >> /etc/raddb/users
RUN rm -f /etc/pam.d/radiusd; echo -e "auth       required     pam_google_authenticator.so\n\
account    required     pam_nologin.so\n\
account    include      password-auth\n\
session    include      password-auth\n\
" >> /etc/pam.d/radiusd

##Kerberos config
RUN yum -y install krb5-workstation \
        openldap-clients \
        mysql \
        realmd \
        oddjob \
        oddjob-mkhomedir \
        sssd \
        samba-common-tools && yum clean all

COPY run.sh /run.sh
RUN chmod +x /run.sh
#CMD /run.sh

Build the image

sudo docker build -t googleauth -f Dockerfile .

Start Container

This is old style of binding host kerberos config to container, this is no longer needed but still works.

sudo docker run --name radtest -dit -v /var/lib/sss:/var/lib/sss -v /home/ec2-user/ga_codes/home:/home -v /home/ec2-user/ga_scripts:/ga_scripts -v /home/ec2-user/ga_web:/ga_web -p 1812:1812  googleauth2