WiKID is a dual-sourced two-factor authentication server that uses software tokens (PC/smartphone) to transmit PINs and one-time passwords encrypted with public key encryption. These keys are generated on the device and server and exist only there – unlike most shared-secret based solutions. Now that WiKID Enterprise version free for 5 users it is easy to create an authentication server that supports Enterprise-oriented remote access services. If you are running services on Amazon, Google Compute, Digital Ocean, etc then you may want to build a two-factor authentication server there. Alternatively, you may be running your infrastructure at home on VMWare or Virtual Box. Either way, you can use these packer scripts to build a two-factor authentication server.
First, download and install packer.
Download or checkout our WiKID server packer scripts from github.
Note that the script builds a server uses Centos 6. You will need to check that the AMI is available to you or edit that entry in centos-6-x86-64.json. If you are building for VMWare or Virtualbox, edit the iso listing to match your location and md5sum.
The customization occurs in the packer provisioning scripts. There is only one here: provisioners/wikid-appliance.sh. It’s quite simple. It installs dependencies, initiates the database and installs the WiKID RPMs. You can add to this file if you like.
To build the server, simply run:
$packerlocation/packer build centos-6-x86-64.json
To build for a single location, use something like:
$packerlocation/packer build -var ‘aws_access_key=*******’ -var ‘aws_secret_key=***’ –only=amazon-ebs centos-6-x86-64.json
Go get some coffee (down the street). Eventually, an AMI should appear in you EC2 console. Launch it and you’re ready to configure your WiKID Two-factor authentication server. You can see the configuration docs or use the quick configuration option as described in a previous tutorial. For bonus points, you can add the quickstart configuration file to your packer scripts and run it from packer!
Note that the tokens will use port 80 and the WiKIDAdmin interface 443. We recommend you tunnel your connection to the WiKIDAdmin over SSH or use some other additional security measure. We do not protect the admin interface with WiKID lest a problem with the server leave you locked out. If you plan to use RADIUS be sure to tunnel that traffic too as it is not encrypted by default.
Please check our main download page for updates to the WiKID two-factor server. We have included them in the /rpms/ folder but they may not be the most recent.