Configuring Our GRS PAM Module for 2FA for RedHat, CentOS, or Ubuntu
Introduction
GreenRADIUS can be used to enforce two-factor authentication for access to RedHat, CentOS or Ubuntu machines. One way to do this is with our custom GRS PAM Module. Our GRS PAM Module uses HTTPS communication instead of RADIUS, avoiding the need to manage each machine as a RADIUS client.
The following login methods can be protected with the GRS PAM Module:
- SSH
- console
sudo
- GNOME
Contact us today to evaluate GreenRADIUS with our custom GRS PAM Module.
Prerequisites
- GreenRADIUS with users imported and reachable from the client machine running RedHat/CentOS 6, 7, or 8, or Ubuntu 16, 18, 20, or 22
- Users imported into GreenRADIUS from your LDAP must have matching usernames with local user accounts on the Linux machine
- GRS PAM Module from Green Rocket Security (at least v2.2.2).
- If SELinux is installed on the client machine (it is usually installed by default on RedHat/CentOS), then you will need to do one of the following:
- Set SELinux to disabled or permissive mode. You can change this setting in the
/etc/selinux/config
file. After editing the file, reboot your system for the changes to take effect. - After you have unpacked the files from the module archive (step 2 below), run
sudo chcon system_u:object_r:lib_t:s0 grs_pam.so
in your terminal to set the appropriate security context on the module.
- Set SELinux to disabled or permissive mode. You can change this setting in the
- You will need a version of Python (Python 3 on every system except RedHat 6 or CentOS 6) and the corresponding Requests module.
- RedHat/CentOS 6:
sudo yum install python
andsudo yum install python-requests
- RedHat/CentOS 7:
sudo yum install python3
andsudo pip3 install requests
- RedHat/CentOS 8:
sudo yum install python3
andsudo pip3 install requests
- Ubuntu 16:
sudo apt install python3 python3-requests
- Ubuntu 18:
sudo apt install python3 python3-requests
- Ubuntu 20:
sudo apt install python3 python3-requests
- Ubuntu 22:
sudo apt install python3 python3-requests
- RedHat/CentOS 6:
Steps
- Run
sudo su -
to enter super user mode - Unpack the provided module archive. You should have three files:
make_request.py
,config
, andgrs_pam.so
.- The
make_request-centos6.py
file is the make_request file for RedHat/CentOS 6. If you are using this OS, deletemake_request.py
and renamemake_request-centos6.py
tomake_request.py
.
- The
- Run
chmod +x make_request.py
- Run
chmod +x grs_pam.so
- Run
mkdir /etc/grs-pam
- Run
mv make_request.py /etc/grs-pam
- Run
mv config /etc/grs-pam
- If and only if your OS is RedHat 6 or CentOS 6: Edit the
/etc/grs-pam/make_request.py
file and change#!/usr/bin/python3
to#!/usr/bin/python
. If the first line already reads#!/usr/bin/python
, this step can be skipped. - Move the
grs_pam.so
to the appropriate location depending on your OS:- RedHat/CentOS 6:
/lib64/security
- RedHat/CentOS 7:
/lib64/security
- RedHat/CentOS 8:
/lib64/security
- Ubuntu 16:
/lib/x86_64-linux-gnu/security
- Ubuntu 18:
/lib/x86_64-linux-gnu/security
- Ubuntu 20:
/lib/x86_64-linux-gnu/security
- Ubuntu 22:
/lib/x86_64-linux-gnu/security
- RedHat/CentOS 6:
- Edit the /etc/grs-pam/config file to update the following:
- SERVER: the IP address/hostname of the GreenRADIUS instances or a list of IP addresses/hostnames
- e.g.
[SERVER:greenradius]
- e.g.
- VERIFY_SSL: flag to enable/disable peer certificate verification
[VERIFY_SSL:YES]
- for enforcing certificate verification[VERIFY_SSL:NO]
- for disabling certificate verification
- CERT: the absolute path to a CA_BUNDLE file or directory of trusted CA certs to be used to verify the GreenRADIUS certificate
- e.g.
[CERT:/etc/ssl/certs/ca-bundle.crt]
- NOTE: If a directory is specified with CERT, it must have been processed using the c_rehash utility supplied with OpenSSL.
- e.g.
- TIMEOUT: the number of seconds the PAM module will wait for GreenRADIUS to respond
- e.g.
[TIMEOUT:10]
- e.g.
- SERVER: the IP address/hostname of the GreenRADIUS instances or a list of IP addresses/hostnames
It is possible to configure multiple GreenRADIUS servers by using a set of SERVER
directives. Timeout and certificate settings must be configured separately for each server with the appropriate TIMEOUT
, VERIFY_SSL
, and CERT
directives. In this configuration, the PAM module will attempt to contact each server in turn. If one server fails to respond, the next is tried. This is useful for high availability configurations.
- Edit one of the following files depending on which login method(s) you want to protect:
- SSH:
/etc/pam.d/sshd
- console:
/etc/pam.d/login
sudo
:/etc/pam.d/sudo
- GNOME:
/etc/pam.d/gdm-password
- GNOME Screen Lock:
/etc/pam.d/gnome-screensaver
- SSH:
- Add this line at the top of the file:
auth required grs_pam.so
. - If you would like password and OTP to be prompted for separately, add the word
separate_otp_prompt
to the end of the previous line:auth required grs_pam.so separate_otp_prompt
. Note that this will not work for all authentication methods, as not all permit custom prompts. - Add a
#
in front of the following line to comment it out:- RedHat/CentOS 6:
auth include password-auth
- RedHat/CentOS 7 or 8:
auth substack password-auth
- Ubuntu:
@include common-auth
- RedHat/CentOS 6:
- Try a test login attempt with a user. In the password field, enter Password+OTP (append OTP to the end of the password), then hit Enter.
If you have any questions during your evaluation or configuration, please do not hesitate to contact us!
© 2024 Green Rocket Security Inc. All rights reserved.