These instructions describe setting up two-factor authentication with WiKID Strong Authentication, which is a commercial/open source two-factor authentication system and OpenVPN, an SSL-encrypted VPN, on a Linux server using the Radius Pluggable Authentication Module.. First, we will configure PAM to use Radius, then we will configure OpenVPN to use PAM and one-time passwords, then we will create a network client on the WiKID server for OpenVPN. We won’t go into specifics about installing these services, rather we will focus on configuring them to all work together.
First, you need to install PAM Radius. There is excellent documentation on this at the PAM Radius home page. Depending on your distribution, you might also be able to find a suitable binary.
Edit /etc/pam.d/sshd to allow Radius authentication:
Go to the second line of the file, hit the Insert key or the i key and insert this line:
auth sufficient /lib/security/pam_radius_auth.so
just above this line:
auth required pam_stack.so service=system-auth
The “sufficient” tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. Use “Required” to require strong authentication. Because we are only editing the sshd file, it will not affect terminal log-ins.
Write the file and quit. Hit the Esc key to exit insert mode and type “:wq”
Edit or create your /etc/raddb/server file:
Below the line:
127.0.0.1 secret 1
Add this line, substituting the IP Address of the WiKID server:
routableIPaddress shared_secret 1
Later, we will configure a network client on the WiKID server to talk to the PAM module. First, let’s configure OpenVPN to talk to the PAM module.
Configuring OpenVPN for two-factor authentication
OpenVPN is an excellent open-source VPN solution. While it supports certificates out of the box, you may need true two-factor authentication for regulatory requirements or you may prefer an easier to manage solution or you may need one-time passwords for a non-VPN system, such as SSH or webmail. Luckily, OpenVPN is easily configured to support one-time passwords.
Install OpenVPN according to their excellent how-to.
You will want to configure the server side to use an alternate authentication method, just add this to server.conf file (verify the location of openvpn-auth-pam.so):
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
If you want to drop the requirement for client certificates, add the following as well:
Dropping the requirement for client certificates does not drop the tunnel encryption! It just means that individual client certificates for each user are not required. It also increases the scalability of the OpenVPN server.
Then, on the client, specify that the user enter a password by adding this to the client.conf or client.opvn:
If you drop the requirement for client certificates on the server, you should also comment them out on the client:
#cert client.crt #key client.key
Configuring the WiKID Server
Now, we’ll configure the WiKID server to process the one-time passwords from OpenVPN. We assume that you also need to set up a new WiKID domain. If you already have one, you may skip this part.
Log into the WiKID server and click on the Domains Tab
Click on Create a New Domain
Enter the information requested. The Domain Server code is the zero-padded IP address of the WiKID server. So, if the external IP address is 188.8.131.52, the WiKID server code would be 216239051099. Click “Create”. (Obviously, if you already have a domain setup, you can skip this step.)
Click Network Clients tab and on “Create a new Network Client”.
Enter the information requested. For the IP Address, use the IP address of the OpenVPN server. Select Radius and the domain you just created. Click “Add” when you’re finished.
On the next page, enter the shared secret you entered in the /etc/raddb/server file of the OpenVPN server. Do not have to enter any information under “Return Attributes”.
Important: From the WiKID terminal or via SSH, you will need to run “stop” and then “start” to load the new configuration into the WiKID Radius server.
That is it. You should now be able to log in to OpenVPN using a one-time passcode from your WiKID token client. Note that in this configuration, you also will be using WiKID for SSH. You might consider setting your OpenVPN server as an SSH gateway – require WiKID to login to SSH to this box, then allow the use of key authentication to other boxes on the network. Lock down those boxes to only allow access from the OpenVPN box and you have extremely secure SSH. For additional information on configuring WiKID, please visit our site.