Difference between revisions of "How-to-set-up-multifactor-authentication"

From BubbaWiki
Jump to navigation Jump to search
(Created page with 'How to set up multifactor authentication<br> Author: Eek<br> <br>This tutorial is about setting up high security multifactor authentication using a series of single-use "passco...')
 
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
How to set up multifactor authentication<br>
How to set up multifactor authentication<br>Author: Eek<br><br>This tutorial is about setting up high security multifactor authentication using a series of single-use "passcodes".<br>As many of us like the bubba for it's power and versatility, we also want to be able to connect to it from outside our home-network. SSH/Putty gives us the opportunity to open up our entire home-network from a remote location. This of course adds to the security risk. Which is why I created this how to, to let you all know of a way to implement a High security multifactor authentication.<br>One tip: do not open port 22 in your router for ssh (as hackers are scanning for known port numbers), but choose a random port number.<br>The information about the High security multifactor authentication using a series of single-use "passcodes" can be found at: https://www.grc.com/ppp.htm<br>Or listen to the podcasts on the subject at http://www.grc.com/securitynow.htm<br>This how to describes installation of the PAM module by Thomas Fors (http://code.google.com/p/ppp-pam/)<br>Note: Installed and tested on Etch, Sarge should also work.<br><br>Packages<br>Install the packages, using the Debian sources, see Howto install Debian packages [5].  
 
Author: Eek<br>
 
<br>This tutorial is about setting up high security multifactor authentication using a series of single-use "passcodes".
 
As many of us like the bubba for it's power and versatility, we also want to be able to connect to it from outside our home-network. SSH/Putty gives us the opportunity to open up our entire home-network from a remote location. This of course adds to the security risk. Which is why I created this how to, to let you all know of a way to implement a High security multifactor authentication.<br>One tip: do not open port 22 in your router for ssh (as hackers are scanning for known port numbers), but choose a random port number.<br>The information about the High security multifactor authentication using a series of single-use "passcodes" can be found at: https://www.grc.com/ppp.htm<br>Or listen to the podcasts on the subject at http://www.grc.com/securitynow.htm<br>This how to describes installation of the PAM module by Thomas Fors (http://code.google.com/p/ppp-pam/)
 
Note: Installed and tested on Etch, Sarge should also work.<br><br>
 
Packages<br>Install the packages, using the Debian sources, see Howto install Debian packages [5].
<pre>apt-get install subversion make gcc g++ uuid-dev libpam0g-dev
<pre>apt-get install subversion make gcc g++ uuid-dev libpam0g-dev
apt-get install wget</pre>
apt-get install wget</pre>  
Installation<br>
Installation<br>  
<pre>$ cd /tmp
<pre>$ cd /tmp
$ wget http://ppp-pam.googlecode.com/files/ppp-pam-0.2.tar.gz
$ wget http://ppp-pam.googlecode.com/files/ppp-pam-0.2.tar.gz
Line 18: Line 8:
$ cd ppp-pam/build
$ cd ppp-pam/build
$ ../configure
$ ../configure
$ make</pre>
$ make</pre>  
Test to confirm it builds correctly
Test to confirm it builds correctly  
<pre>make test</pre>
<pre>make test</pre>  
Install the pppauth utility and PAM module in the appropriate folders.
Install the pppauth utility and PAM module in the appropriate folders.  
<pre>make install</pre>
<pre>make install</pre>  
Configuration<br>Enable PPP authentication for ssh connections.
Configuration<br>Enable PPP authentication for ssh connections.  
<pre>vi /etc/pam.d/ssh</pre>
<pre>vi /etc/pam.d/ssh</pre>  
Enter the following line just below: @include common-auth
Enter the following line just below: @include common-auth  
<pre>auth required pam_ppp.so</pre>
<pre>auth required pam_ppp.so</pre>  
Make sure you have the following settings in sshd_config
Make sure you have the following settings in sshd_config  
<pre>vi /etc/ssh/sshd_config
<pre>vi /etc/ssh/sshd_config


ChallengeResponseAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yes</pre>
UsePAM yes</pre>  
Usage<br>Create a PPP sequence key for your user account you use to login. This will probably not be root!
Usage<br>Create a PPP sequence key for your user account you use to login. This will probably not be root!  
<pre>pppauth --key</pre>
<pre>pppauth --key</pre>  
Generate a passcard. Print or save it
Generate a passcard. Print or save it  
<pre>pppauth --text --next 1</pre>
<pre>pppauth --text --next 1</pre>  
Try logging in to test it.
Try logging in to test it.  
<pre>ssh localhost</pre>
<pre>ssh localhost</pre>  
 
 
References<br>1. https://www.grc.com/ppp.htm<br>2. http://www.grc.com/ppp/software.htm<br>3. http://code.google.com/p/ppp-pam/<br>4. http://code.google.com/p/ppp-pam/wiki/Building<br>5. http://forum.excito.net/viewtopic.php?t=421<br>
References<br>1. https://www.grc.com/ppp.htm<br>2. http://www.grc.com/ppp/software.htm<br>3. http://code.google.com/p/ppp-pam/<br>4. http://code.google.com/p/ppp-pam/wiki/Building<br>5. http://forum.excito.net/viewtopic.php?t=421<br>
<br>

Latest revision as of 12:14, 7 October 2010

How to set up multifactor authentication
Author: Eek

This tutorial is about setting up high security multifactor authentication using a series of single-use "passcodes".
As many of us like the bubba for it's power and versatility, we also want to be able to connect to it from outside our home-network. SSH/Putty gives us the opportunity to open up our entire home-network from a remote location. This of course adds to the security risk. Which is why I created this how to, to let you all know of a way to implement a High security multifactor authentication.
One tip: do not open port 22 in your router for ssh (as hackers are scanning for known port numbers), but choose a random port number.
The information about the High security multifactor authentication using a series of single-use "passcodes" can be found at: https://www.grc.com/ppp.htm
Or listen to the podcasts on the subject at http://www.grc.com/securitynow.htm
This how to describes installation of the PAM module by Thomas Fors (http://code.google.com/p/ppp-pam/)
Note: Installed and tested on Etch, Sarge should also work.

Packages
Install the packages, using the Debian sources, see Howto install Debian packages [5].

apt-get install subversion make gcc g++ uuid-dev libpam0g-dev
apt-get install wget

Installation

$ cd /tmp
$ wget http://ppp-pam.googlecode.com/files/ppp-pam-0.2.tar.gz
$ tar -xvzf ppp-pam-0.2.tar.gz
$ cd ppp-pam/build
$ ../configure
$ make

Test to confirm it builds correctly

make test

Install the pppauth utility and PAM module in the appropriate folders.

make install

Configuration
Enable PPP authentication for ssh connections.

vi /etc/pam.d/ssh

Enter the following line just below: @include common-auth

auth required pam_ppp.so

Make sure you have the following settings in sshd_config

vi /etc/ssh/sshd_config

ChallengeResponseAuthentication yes
UsePAM yes

Usage
Create a PPP sequence key for your user account you use to login. This will probably not be root!

pppauth --key

Generate a passcard. Print or save it

pppauth --text --next 1

Try logging in to test it.

ssh localhost

References
1. https://www.grc.com/ppp.htm
2. http://www.grc.com/ppp/software.htm
3. http://code.google.com/p/ppp-pam/
4. http://code.google.com/p/ppp-pam/wiki/Building
5. http://forum.excito.net/viewtopic.php?t=421