UniOTP PAM Agent

From SecuTech Wiki
Jump to: navigation, search

This document details how to install and configure the UniOTP PAM Authentication Agent in the Red Hat Enterprise Linux 5 operating system, and how to use UniOTP's authentication system as an additional factor in user authentication.

Environment : Operating System: Red Hat Enterprise 5

Important: Please note that currently there is no ability to safely test if a user account bound with UniOTP authenticates successfully on Linux after installation and configuration. Backup all important data and proceed diligently.


Extract pam_secu.tar.gz

Navigate to the directory where the setup package "pam_secu.tar.gz" is located. In the example screenshot below, the setup package is located in /tmp/Desktop Type "cd" to navigate to folder, and "tar zxvf" to extract the setup package, as shown below.

command line cd and tar command

Using the "tar" command, the extracted files will be extracted to the same directory as the archive file "pam_secure.tar.gz".

extraction output

Install the PAM Authentication Agent

To be able to install the PAM Agent, you must be logged in as root. Once logged in as root, in the directory of the extracted file, input "./install" to install the PAM Agent.

running install

The below will appear.

install output After installation has completed, the system will prompt "Change configuration file now? [y/n]". If you want to change the configuration file now, input y and press enter, otherwise, input n and press enter. Here, input n and press enter, we can change the configuration file later. The following information will be display. Please make sure the configuration file has been configured correctly, before restarting your computer, otherwise it may cause log in failures next time.

installation finished output

Verify PAM Agent Installation

You can check if the PAM agent has been installed successfully, by the following method.

1. Go to /lib/security to check the pam_secu.so file.

security file directory

2. Go to /user/lib to check the libuniotp_agent_c.so file.

lib file directory

3. Go to /etc to check the secu_pam_agent.conf file.

etc file directory

If all these files can be found in the corresponding directory, the PAM Agent has been installed successfully, and the next step is to configure the PAM Agent.

PAM Agent Configuration

Configure secu_pam_agent.conf

This file contains settings about the system account, mapping of the dynamic password name for the system account, authentication server IP address shared key and authentication server port. For more details, please read the introduction in secu_pam_agent.conf.

opening secu_pam_agent.conf with vi

The following file will be opened. Add a system user and other corresponding parameters as shown in the picture below.

uniotp_account=newtest authserver= share=hello port=1812 maxwait=3

  • [user name]: a valid system account name (example: [root])
  • uniotp_account: the mapping account name of dynamic password for [user name]
  • authserver: authentication server IP address
  • share: shared secret key (obtained from authentication service administrator)
  • port: authentication server connection port
  • maxwait: the maximum time waiting for authentication server response

Configure the PAM Authentication Agent

The PAM authentication agent configuration is adding the OTP Server PAM authentication agent program to the authentication module service, which is in /etc/pam.d

cd /etc/pam.d

Configure Command Line Login Authentication

Open the login file in directory /etc/pam.d and add "auth required pam_secu.so" in the row.

vi /etc/pam.d/login

auth required /lib/security/pam_secu.so

Save and quit. Now you have finished all PAM agent configurations for command line login authentication. There are five control-flag keywords: required, requisite, sufficient, optional and include.

  • required: this indicates that the success of the module is required for the module-type facility to succeed. Failure of this module will not be apparent to the user until all of the remaining modules (of the same module-type) have been executed.
  • requisite: like required, however, in the case that such a module returns a failure, control is directly returned to the application. The return value is that associated with the first required or requisite module to fail. Note, this flag can be used to protect against the possibility of a user getting the opportunity to enter a password over an unsafe medium. It is conceivable that such behavior might inform an attacker of valid accounts on a system. This possibility should be weighed against the not insignificant concerns of exposing a sensitive password in a hostile environment.
  • sufficient: the success of this module is deemed `sufficient' to satisfy the Linux-PAM library that this module-type has succeeded in its purpose. In the event that no previous required module has failed, no more `stacked' modules of this type are invoked. (Note, in this case subsequent required modules are not invoked.). A failure of this module is not deemed as fatal to satisfying the application that this module-type has succeeded.
  • optional: as its name suggests, this control-flag marks the module as not being critical to the success or failure of the user's application for service. In general, Linux-PAM ignores such a module when determining if the module stack will succeed or fail. However, in the absence of any definite successes or failures of previous or subsequent stacked modules this module will determine the nature of the response to the application. One example of this latter case, is when the other modules return something like PAM_IGNORE.
  • include: this tells PAM to include all lines of given type from the configuration file specified as an argument to this control. The whole idea is to create few "systemwide" pam configs and include parts of them in application pam configs. pam_secu.so support debug function. If you input debug following pam_secu.so the debug information will be added to the system log file (like: auth sufficient pam_secu.so debug). And you can specify the configuration file by using conf –directory (like: auth sufficient pam_secu.so conf –/etc/secu_pam_agent.conf the agent will find configuration file from the specified directory, instead of the default one).

Configure Desktop Login Authentication

Open the PAM configuration file for gdm in directory /etc/pam.d and add "auth required pam_secu.so" in the first row.

vi /etc/pam.d/gdm_

auth required pam_secu.so

Save and quit. Now you have finished all PAM agent configurations for desktop login authentication. Please make sure the configuration file has been configured correctly, before restarting your computer, otherwise it may cause login failures on next boot.

Configure Remote Terminal Login Authentication

Open the sshd file in directory /etc/pam.d and add "auth sufficient pam_secu.so sshd" in the row.

vi sshd

auth sufficient pam_secu.so sshd

For remote login authentication configuration, you can only use sufficient. Save and quit. Now you have finished all PAM agent configurations for remote terminal login authentication.

Testing PAM Authentication Agent

Testing Command Line Authentication

Input user name [root] and press enter. Now the system will ask for OTP[PIN]. Just input the dynamic password generated by your OTP device and your PIN following OTP in this line and press enter. In the next Password line, input your static password and press enter. You will login as root, if you see [root@localhost ~]#.

command line authentication logging in as root

Testing Desktop Login Authentication

After configuring the gdm file, you can login the system by using the GUI, input the user name when the following login interface appear.

Red Hat login screen, username: root

Input user name [root], and then the password interface will appear.

Red Hat login screen, OTP[PIN]: enter

Please Input OTP and PIN, and then press enter. If you can log in to the system, you have successfully configured the PAM agent for desktop login authentication.

Testing Remote Login Authentication

We use SecureCRT as the remote login tool. After UniOTP protection is enabled for remote login authentication. You must input OTP+PIN in the password field to log in to the host computer, and click on OK.

enter secure shell password

Once logged in successfully, the following picture is displayed:

SecureCRT main window