Difference between revisions of "Google Authenticator"
Michael.mast (talk | contribs) |
Michael.mast (talk | contribs) |
||
Line 24: | Line 24: | ||
<br> | <br> | ||
<br> | <br> | ||
− | One thing I needed to make my "app" to work is the ability to send emails. Sendmail is what I currently use to make this happen, but the one thing I was missing for hours was a properly formatted hosts line. | + | One thing I needed to make my "app" to work is the ability to send emails. Sendmail is what I currently use to make this happen, but the one thing I was missing for hours was a properly formatted hosts line. It MUST be very specific (maybe I just don't understand MTAs? Possible)<ref>https://github.com/docker-library/php/issues/135#issuecomment-277199026</ref> |
<pre> | <pre> | ||
FROM docker.io/centos:latest | FROM docker.io/centos:latest |
Revision as of 17:02, 9 November 2018
Contents
Purpose
Docker
[1] I do not understand the relationship between FreeRADIUS, PAM, Google Authenticator, and SSS as much as I should. This took me several days trying to work this out until I found the referenced instructions on GitHub. Thankfully I was able to get a test container working, so now I just need to PROPERLY record the steps I took. Gong back to what I had in 2016 was not sufficient.
Host Prep
This is not a fully contained solution. I ran into problems with SSS and kerberose authentication into AD. The problem stems from two sides
1. The kerberos works out of the secure kernel. Which causes unprivileged containers the inability to access this. [2]
2. Kerberos likes a stable network. Containers tend to jump around and this causes problems.
So I settled on enrolling the host into AD as those are more stable, and because I will be using EC2 instances until I learn the orchastrator in AWS.
- Make sure your DNS solution is configured to resolve the domain you want to authenticate to.
sudo yum -y upgrade sudo yum -y install yum-cron oddjob oddjob-mkhomedir sssd samba-common-tools realmd docker sudo realm join -U <username> <domain>
Container build
I normally work with CentOS while the FreeRadius containers are based on Debian/Ubuntu. So for this we want to build our own image using the following template. This could be made smaller if I would compile the pam module outside the container and simply add it in, but I wanted to compile it the container just for the fun of it. This makes a number of packages unnecessary.[3][4]
One thing I needed to make my "app" to work is the ability to send emails. Sendmail is what I currently use to make this happen, but the one thing I was missing for hours was a properly formatted hosts line. It MUST be very specific (maybe I just don't understand MTAs? Possible)[5]
FROM docker.io/centos:latest RUN yum upgrade -y RUN yum install -y freeradius freeradius-utils google-authenticator krb5-workstation \ openldap-clients mysql realmd oddjob oddjob-mkhomedir sssd samba-common-tools git \ autoconf dh-autoreconf cmake automake libtool.x86_64 pam-devel sendmail RUN git clone https://github.com/google/google-authenticator-libpam.git RUN cd /google-authenticator-libpam; ./bootstrap.sh RUN cd /google-authenticator-libpam; ./configure && make; make install RUN sed -i 's/user\ =\ radiusd/user\ =\ root/; s/group\ =\ radiusd/group\ =\ root/' /etc/raddb/radiusd.conf RUN sed -i "s/^#\\tpam/\\tpam/" /etc/raddb/sites-enabled/default RUN ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam RUN echo -e " \n\ client my-client { \n\ secret = some-secret-here \n\ shortname = name \n\ ipv4addr = xxx.xxx.xxx.xxx \n\ } \n\ " >> /etc/raddb/clients.conf RUN echo "DEFAULT Auth-Type := PAM" >> /etc/raddb/users RUN rm -f /etc/pam.d/radiusd; echo -e "auth required pam_google_authenticator.so\n\ account required pam_nologin.so\n\ account include password-auth\n\ session include password-auth\n\ " >> /etc/pam.d/radiusd RUN sed -i 's/dnl\ define\(\`SMART_HOST\'\,\ \`smtp\.your\.provider/define\(\`SMART_HOST\'\,\ \`yourrelayserver\.com/' /etc/mail/sendmail.mc RUN sed -i '/127/ d' /etc/hosts RUN echo "xxx.xxx.xxx.xxx yourrelayserver.com" >> /etc/hosts RUN echo "127.0.0.1 noreply.domain.com $(hostname)" >> /etc/hosts RUN m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
Start Container
sudo docker run --name radtest -dit -v /var/lib/sss:/var/lib/sss -v /home/ec2-user/ga_codes/home:/home -v /home/ec2-user/ga_scripts:/ga_scripts -v /home/ec2-user/ga_web:/ga_web googleauth2
CentOS 7
- UPDATE 1 : Ran into an issue following VMWare's outdated instructions. Will have to go back and find out what has changed.
- UPDATE 2 : I believe I have found the problem, and it would be the use of the pam_lsass.so module. It was starring me straight in the face and I missed it. I have not given up on this but I did quickly realize that I would be the only one in the company that would know how any of this works.
Not worth it. - UPDATE 3 : This is still a live project and will be completed in the next week or two. Have to deal with other projects first.
- UPDATE 4: When I did decided to go back and make the required changes I found a site[12] that outlines everything I had debugged. It also showed I was right about the PAM modules. At least I know I learned something correctly. Next step is to go back over the steps and create an installation script.
yum install -y git autoconf automake make libtool pam-devel
nano /etc/yum.repos.d/pbis.repo
[PBISO] name=PBISO baseurl=http://repo.pbis.beyondtrust.com/yum/pbiso/$basearch enabled=1 gpgcheck=0
yum -y install pbis-opengit clone https://github.com/google/google-authenticator cd google-authenticator/libpam ./bootstrap.sh ./configure ./make ./make install ln -s /usr/local/lib/security/pam_google_authenticator.so /usr/lib64/security/pam_google_authenticator.so yum install freeradius ln -s /etc/raddb/mods-enabled/pam /etc/raddb/mods-available/pam sed -i 's/user = freerad/user = root/' /etc/raddb/radiusd.conf sed -i 's/group = freerad/group - root/' /etc/raddb/radiusd.conf nano /etc/raddb/users
DEFAULT Group == “GG_S_GOOGLE_AUTH_DISABLED”, Auth-Type := Reject Reply-Message = “Your account has been disabled.” DEFAULT Auth-Type := PAM
sed -i "s/^#\\tpam/\\tpam/" /etc/raddb/sites-enabled/default
Comment out all lines in /etc/pam.d/radiusd then add the following
echo "auth requisite pam_google_authenticator.so forward_pass" >> /etc/pam.d/radiusd echo "auth required pam_sss.so use_first_pass" >> /etc/pam.d/radiusd
Ubuntu 16.04 LTS
- UPDATE : I have little interest in finishing the Ubuntu install instructions. This is incomplete and some of the steps are wrong. I am leaving it here for reference only
sudo wget http://download.beyondtrust.com/PBISO/8.0.1/linux.deb.x64/pbis-open-8.0.1.2029.linux.x86_64.deb.sh git clone https://github.com/google/google-authenticator cd google-authenticator/libpam/ sudo apt install dh-autoreconf sudo ./bootstrap.sh ./configure sudo make sudo make install sudo apt install freeradius sudo sed -i 's/^user\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf sudo sed -i 's/^group\ =\ freerad/user\ =\ root/' /etc/freeradius/radiusd.conf sudo nano /etc/freeradius/users
# # Deny access for a group of users. # # Note that there is NO 'Fall-Through' attribute, so the user will not # be given any additional resources. # #DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled." # DEFAULT Group == “CSP-VMWare.GoogleAuth”, Auth-Type := Reject Reply-Message = “Your account has been disabled.” DEFAULT Auth-Type := PAM #
sudo sed -i 's/^#\ \ \ \ \ \ \ pam/\ \ \ \ \ \ \ \ pam/' /etc/freeradius/sites-enabled/default sudo nano /etc/pam.d/radiusd
# # /etc/pam.d/radiusd - PAM configuration for FreeRADIUS # # We fall back to the system default in /etc/pam.d/common-* # #@include common-auth #@include common-account #@include common-password #@include common-session auth requisite pam_google_authenticator.so forward_pass auth required pam_lsass.so use_first_pass
sudo systemctl start freeradius sudo nano /etc/freeradius/clients.conf
- Modify the following to match your environment
#client some.host.org { # secret = testing123 # shortname = localhost #}
ie
client vcs-vdi-my.domain.com { secret = Imadeasecret! shortname = vcs }
sudo nano /etc/freeradius/proxy.conf
realm your.domain.com { }
sudo systemctl restart freeradius
- ↑ https://github.com/rharmonson/richtech/wiki/Two-Factor-Authentication-using-FreeRADIUS-with-SSSD-(FreeIPA-or-Active-Directory)-and-Google-Authenticator-on-CentOS-7
- ↑ https://blog.tomecek.net/post/kerberos-in-a-container/
- ↑ https://axdlog.com/2016/using-google-authenticator-to-set-up-multi-factor-authentication-on-gnu-linux/
- ↑ https://github.com/Elemental-IRCd/elemental-ircd/issues/100
- ↑ https://github.com/docker-library/php/issues/135#issuecomment-277199026
- ↑ https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-14-04
- ↑ http://freeradius.1045715.n5.nabble.com/Defining-an-Auth-Type-based-on-a-realm-td3208012.html
- ↑ http://stackoverflow.com/questions/19021487/freeradius-google-dual-factor-authenticator-pam
- ↑ http://lists.freeradius.org/pipermail/freeradius-users/2010-May/046799.html
- ↑ http://www.supertechguy.com/help/security/freeradius-google-auth
- ↑ http://wiki.freeradius.org/guide/Basic-configuration-HOWTO
- ↑ https://github.com/rharmonson/richtech/wiki/CentOS-7-Minimal-&-Two-factor-Authentication-using-FreeRADIUS-3,-SSSD-1.12,-&-Google-Authenticator
- ↑ https://www.linuxsysadmintutorials.com/setup-sudo-with-google-authenticator-for-2-factor-authentication-on-centos-7.html
- ↑ https://community.spiceworks.com/how_to/80336-join-ubuntu-14-04lts-to-a-windows-domain-using-pbis-open