Configuring Our GRS PAM Module for 2FA for RedHat, CentOS, or Ubuntu

Introduction

GreenRADIUS can be used to enforce two-factor authentication for access to RedHat, CentOS or Ubuntu machines. One way to do this is with our custom GRS PAM Module. Our GRS PAM Module uses HTTPS communication instead of RADIUS, avoiding the need to manage each machine as a RADIUS client.

The following login methods can be protected with the GRS PAM Module:

  • SSH
  • console
  • sudo
  • GNOME

Contact us today to evaluate GreenRADIUS with our custom GRS PAM Module.

Prerequisites

  1. GreenRADIUS with users imported and reachable from the client machine running RedHat/CentOS 6, 7, or 8, or Ubuntu 16, 18, 20, or 22
    • Users imported into GreenRADIUS from your LDAP must have matching usernames with local user accounts on the Linux machine
  2. GRS PAM Module from Green Rocket Security (at least v2.2.2).
  3. If SELinux is installed on the client machine (it is usually installed by default on RedHat/CentOS), then you will need to do one of the following:
    • Set SELinux to disabled or permissive mode. You can change this setting in the /etc/selinux/config file. After editing the file, reboot your system for the changes to take effect.
    • After you have unpacked the files from the module archive (step 2 below), run sudo chcon system_u:object_r:lib_t:s0 grs_pam.so in your terminal to set the appropriate security context on the module.
  4. You will need a version of Python (Python 3 on every system except RedHat 6 or CentOS 6) and the corresponding Requests module.
    • RedHat/CentOS 6: sudo yum install python and sudo yum install python-requests
    • RedHat/CentOS 7: sudo yum install python3 and sudo pip3 install requests
    • RedHat/CentOS 8: sudo yum install python3 and sudo pip3 install requests
    • Ubuntu 16: sudo apt install python3 python3-requests
    • Ubuntu 18: sudo apt install python3 python3-requests
    • Ubuntu 20: sudo apt install python3 python3-requests
    • Ubuntu 22: sudo apt install python3 python3-requests

Steps

  1. Run sudo su - to enter super user mode
  2. Unpack the provided module archive. You should have three files: make_request.py, config, and grs_pam.so.
    • The make_request-centos6.py file is the make_request file for RedHat/CentOS 6. If you are using this OS, delete make_request.py and rename make_request-centos6.py to make_request.py.
  3. Run chmod +x make_request.py
  4. Run chmod +x grs_pam.so
  5. Run mkdir /etc/grs-pam
  6. Run mv make_request.py /etc/grs-pam
  7. Run mv config /etc/grs-pam
  8. If and only if your OS is RedHat 6 or CentOS 6: Edit the /etc/grs-pam/make_request.py file and change #!/usr/bin/python3 to #!/usr/bin/python. If the first line already reads #!/usr/bin/python, this step can be skipped.
  9. Move the grs_pam.so to the appropriate location depending on your OS:
    • RedHat/CentOS 6: /lib64/security
    • RedHat/CentOS 7: /lib64/security
    • RedHat/CentOS 8: /lib64/security
    • Ubuntu 16: /lib/x86_64-linux-gnu/security
    • Ubuntu 18: /lib/x86_64-linux-gnu/security
    • Ubuntu 20: /lib/x86_64-linux-gnu/security
    • Ubuntu 22: /lib/x86_64-linux-gnu/security
  10. Edit the /etc/grs-pam/config file to update the following:
    • SERVER: the IP address/hostname of the GreenRADIUS instances or a list of IP addresses/hostnames
      • e.g. [SERVER:greenradius]
    • VERIFY_SSL: flag to enable/disable peer certificate verification
      • [VERIFY_SSL:YES] - for enforcing certificate verification
      • [VERIFY_SSL:NO] - for disabling certificate verification
    • CERT: the absolute path to a CA_BUNDLE file or directory of trusted CA certs to be used to verify the GreenRADIUS certificate
      • e.g. [CERT:/etc/ssl/certs/ca-bundle.crt]
      • NOTE: If a directory is specified with CERT, it must have been processed using the c_rehash utility supplied with OpenSSL.
    • TIMEOUT: the number of seconds the PAM module will wait for GreenRADIUS to respond
      • e.g. [TIMEOUT:10]

It is possible to configure multiple GreenRADIUS servers by using a set of SERVER directives. Timeout and certificate settings must be configured separately for each server with the appropriate TIMEOUT, VERIFY_SSL, and CERT directives. In this configuration, the PAM module will attempt to contact each server in turn. If one server fails to respond, the next is tried. This is useful for high availability configurations.

GRS PAM Module Configuration

  1. Edit one of the following files depending on which login method(s) you want to protect:
    • SSH: /etc/pam.d/sshd
    • console: /etc/pam.d/login
    • sudo: /etc/pam.d/sudo
    • GNOME: /etc/pam.d/gdm-password
    • GNOME Screen Lock: /etc/pam.d/gnome-screensaver
  2. Add this line at the top of the file: auth required grs_pam.so.
  3. Add a # in front of the following line to comment it out:
    • RedHat/CentOS 6: auth include password-auth
    • RedHat/CentOS 7 or 8: auth substack password-auth
    • Ubuntu: @include common-auth
  4. Try a test login attempt with a user. In the password field, enter Password+OTP (append OTP to the end of the password), then hit Enter.

If you have any questions during your evaluation or configuration, please do not hesitate to contact us!

Updated 2023-01-13
© 2024 Green Rocket Security Inc. All rights reserved.