Configuring Our GRS PAM Module for 2FA for RedHat, CentOS, or Ubuntu

Introduction

GreenRADIUS can be used to enforce two-factor authentication for access to RedHat, CentOS or Ubuntu machines. One way to do this is with our custom GRS PAM Module. Our GRS PAM Module uses HTTPS communication instead of RADIUS, avoiding the need to manage each machine as a RADIUS client.

The following login methods can be protected with the GRS PAM Module:

  • SSH
  • console
  • sudo
  • GNOME

Contact us today to evaluate GreenRADIUS with our custom GRS PAM Module.

Prerequisites

  1. GreenRADIUS with users imported and reachable from the client machine, running RedHat/CentOS 6, 7, or 8, or Ubuntu 16, 18, or 20
  2. GRS PAM Module from Green Rocket Security (at least v2.2.2).
  3. Client machine(s) that can reach GreenRADIUS
  4. SELinux must be disabled or set to permissive mode on the client machine, if it is installed (it is usually installed on RedHat/CentOS). You can change the SELinux configuration in the /etc/selinux/config file.
  5. You will need a version of Python (Python 3 on every system except RedHat 6 or CentOS 6) and the corresponding Requests module.
    • RedHat/CentOS 6: sudo yum install python and sudo yum install python-requests
    • RedHat/CentOS 7: sudo yum install python3 and sudo pip3 install requests
    • RedHat/CentOS 8: sudo yum install python3 and sudo pip3 install requests
    • Ubuntu 16: sudo apt install python3 python3-requests
    • Ubuntu 18: sudo apt install python3 python3-requests
    • Ubuntu 20: sudo apt install python3 python3-requests

Steps

  1. Run sudo su - to enter super user mode
  2. Unpack the provided module archive. You should have three files: make_request.py, config, and grs_pam.so.
    • The make_request-centos6.py file is the make_request file for RedHat/CentOS 6.
  3. Run chmod +x make_request.py
  4. Run chmod +x grs_pam.so
  5. Run mkdir /etc/grs-pam
  6. Run mv make_request.py /etc/grs-pam
  7. Run mv config /etc/grs-pam
  8. If and only if your OS is RedHat 6 or CentOS 6: Edit the /etc/grs-pam/make_request.py file and change #!/usr/bin/python3 to #!/usr/bin/python.
  9. Move the grs_pam.so to the appropriate location depending on your OS:
    • RedHat/CentOS 6: /lib64/security
    • RedHat/CentOS 7: /lib64/security
    • RedHat/CentOS 8: /lib64/security
    • Ubuntu 16: /lib/x86_64-linux-gnu/security
    • Ubuntu 18: /lib/x86_64-linux-gnu/security
    • Ubuntu 20: /lib/x86_64-linux-gnu/security
  10. Edit the /etc/grs-pam/config file to update the following:
    • SERVER: the IP address/hostname of the GreenRADIUS instances or a list of IP addresses/hostnames
      • e.g. [SERVER:greenradius]
    • VERIFY_PEER: flag to enable/disable peer certificate verification
      • [VERIFY_PEER:YES] - for enforcing certificate verification
      • [VERIFY_PEER:NO] - for disabling certificate verification
    • CERT: the absolute path to a CA_BUNDLE file or directory of trusted CA certs to be used to verify the GreenRADIUS certificate
      • e.g. [CERT:/etc/ssl/certs/ca-bundle.crt]
      • NOTE: If a directory is specified with CERT, it must have been processed using the c_rehash utility supplied with OpenSSL.
    • TIMEOUT: the number of seconds the PAM module will wait for GreenRADIUS to respond
      • e.g. [TIMEOUT:10]

It is possible to configure multiple GreenRADIUS servers by using a set of SERVER directives. Timeout and certificate settings must be configured separately for each server with the appropriate TIMEOUT, VERIFY_SSL, and CERT directives. In this configuration, the PAM module will attempt to contact each server in turn. If one server fails to respond, the next is tried. This is useful for high availability configurations.

GRS PAM Module Configuration

  1. Edit one of the following files depending on which login method(s) you want to protect:
    • SSH: /etc/pam.d/sshd
    • console: /etc/pam.d/login
    • sudo: /etc/pam.d/sudo
    • GNOME: /etc/pam.d/gdm-password
    • GNOME Screen Lock: /etc/pam.d/gnome-screensaver
  2. Add this line at the top of the file: auth sufficient grs_pam.so. This will fall back to local authentication if GreenRADIUS fails the login, so ensure that your users do not have locally set passwords to enforce 2FA for them.
  3. Try a test login attempt with a user. In the password field, enter Password+OTP (append OTP to the end of the password), then hit Enter.

If you have any questions during your evaluation or configuration, please do not hesitate to contact us!

Updated 2020-09-12
© 2020 Green Rocket Security Inc. All rights reserved.