Tutorial News Comments FAQ Related Articles

How to configure two-factor authentication using sudo in Linux

To configure two-factor authentication using sudo in Linux

Two-factor authentication is used to reduce infiltration. In this tutorial we will learn how to add radius to sudo for Centos 7 or Ubuntu 16.04. It is made more robust with the help of WIKID Strong Authentication server. Pam-radius authorization is done in the root folder and then the authentication is done separately in the two-factor authentication server.

To configure sudo on CentOS

Utilise the following command to install the dependencies.

[root@linuxhelp ~]# yum install make gcc pam pam-devel -y
Loaded plugins: fastestmirror, langpacks  
Loading mirror speeds from cached hostfile
 * base: mirror.nbrc.ac.in
 * extras: mirror.nbrc.ac.in
 * updates: mirror.nbrc.ac.in
Resolving Dependencies
-->  Running transaction check
--->  Package gcc.x86_64 0:4.8.5-4.el7 will be installed
-->  Processing Dependency: libgomp = 4.8.5-4.el7 for package: gcc-4.8.5-4.el7.x86_64
-->  Processing Dependency: cpp = 4.8.5-4.el7 for package: gcc-4.8.5-4.el7.x86_64
-->  Processing Dependency: libgcc > = 4.8.5-4.el7 for package: gcc-4.8.5-4.el7.x86_64
-->  Processing Dependency: glibc-devel > = 2.2.90-12 for package: gcc-4.8.5-4.el7.x86_64
-->  Processing Dependency: libmpc.so.3()(64bit) for package: gcc-4.8.5-4.el7.x86_64
--->  Package pam.x86_64 0:1.1.8-9.el7 will be updated
--->  Package pam.x86_64 0:1.1.8-12.el7_1.1 will be an update
--->  Package pam-devel.x86_64 0:1.1.8-12.el7_1.1 will be installed
-->  Running transaction check
--->  Package cpp.x86_64 0:4.8.5-4.el7 will be installed
.
.
.
Installed:
  gcc.x86_64 0:4.8.5-4.el7                                  pam-devel.x86_64 0:1.1.8-12.el7_1.1                                 

Dependency Installed:
  cpp.x86_64 0:4.8.5-4.el7                      glibc-devel.x86_64 0:2.17-106.el7_2.6   glibc-headers.x86_64 0:2.17-106.el7_2.6  
  kernel-headers.x86_64 0:3.10.0-327.22.2.el7   libmpc.x86_64 0:1.0.1-3.el7            

Updated:
  pam.x86_64 0:1.1.8-12.el7_1.1                                                                                                  

Dependency Updated:
  glibc.x86_64 0:2.17-106.el7_2.6          glibc-common.x86_64 0:2.17-106.el7_2.6          libgcc.x86_64 0:4.8.5-4.el7         
  libgomp.x86_64 0:4.8.5-4.el7            

Complete!

Run the following command to download the latest pam radius code.

[root@linuxhelp ~]# wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz
--2016-07-29 06:14:52--  ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz
           =>  ‘ pam_radius-1.4.0.tar.gz’ 
Resolving ftp.freeradius.org (ftp.freeradius.org)... 62.210.29.29
Connecting to ftp.freeradius.org (ftp.freeradius.org)|62.210.29.29|:21... connected.
Logging in as anonymous ... Logged in!
==>  SYST ... done.    ==>  PWD ... done.
==>  TYPE I ... done.  ==>  CWD (1) /pub/radius ... done.
==>  SIZE pam_radius-1.4.0.tar.gz ... 179458
==>  PASV ... done.    ==>  RETR pam_radius-1.4.0.tar.gz ... done.
Length: 179458 (175K) (unauthoritative)

100%[=======================================================================================> ] 179,458      139KB/s   in 1.3s   

2016-07-29 06:14:56 (139 KB/s) - ‘ pam_radius-1.4.0.tar.gz’  saved [179458]

Extract the downloaded file by using the following command.

[root@linuxhelp ~]# tar -xzvf pam_radius-1.4.0.tar.gz 
pam_radius-1.4.0/
pam_radius-1.4.0/.gitignore
pam_radius-1.4.0/.travis.yml
pam_radius-1.4.0/Changelog
pam_radius-1.4.0/INSTALL
pam_radius-1.4.0/LICENSE
pam_radius-1.4.0/Makefile
pam_radius-1.4.0/README.rst
.
.
.
pam_radius-1.4.0/pamsymbols.ver
pam_radius-1.4.0/src/
pam_radius-1.4.0/src/config.h.in
pam_radius-1.4.0/src/md5.c
pam_radius-1.4.0/src/md5.h
pam_radius-1.4.0/src/pam_radius_auth.c
pam_radius-1.4.0/src/pam_radius_auth.h
pam_radius-1.4.0/src/radius.h

Run the following command to install pam radius.

[root@linuxhelp ~]# cd pam_radius-1.4.0/
[root@linuxhelp pam_radius-1.4.0]# ./configure 
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables... 
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for g++... no
.
.
.
checking for struct in6_addr... yes
checking whether byte ordering is bigendian... (cached) no
checking for an ANSI C-conforming const... yes
checking for the compiler flag " -Wdocumentation" ... no
checking if building with -DNDEBUG... no
configure: creating ./config.status
config.status: creating src/config.h

[root@linuxhelp pam_radius-1.4.0]# make
cc -Wall -fPIC -c src/pam_radius_auth.c -o pam_radius_auth.o
src/pam_radius_auth.c: In function ‘ pam_private_session’ :
src/pam_radius_auth.c:1300:6: warning: variable ‘ ctrl’  set but not used [-Wunused-but-set-variable]
  int ctrl 
      ^
cc -Wall -fPIC -c src/md5.c -o md5.o
cc -shared pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so

Clone the library to the /lib64/security/ path.

[root@linuxhelp pam_radius-1.4.0]# cp pam_radius_auth.so /lib64/security/

In configuration directory, create the server directory and copy the file into it.

[root@linuxhelp pam_radius-1.4.0]# mkdir /etc/raddb/server
[root@linuxhelp pam_radius-1.4.0]# cp pam_radius_auth.conf /etc/raddb/server

Open the server folder, add the server IP and shared secret into it.

[root@linuxhelp pam_radius-1.4.0]# nano /etc/raddb/server

# server[:port] shared_secret       timeout (s)
127.0.0.1       secret             1
radius_server_IP    secret     3

Edit the file sudo as shown below, to allow it to use radius.

[root@linuxhelp pam_radius-1.4.0]# nano /etc/pam.d/sudo
        auth       required      pam_radius_auth.so

To configure sudo on Ubuntu

Run the following command to install pam radius.

root@linuxhelp:~# apt-get install libpam-radius-auth -y
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Suggested packages:
  radius-server
The following NEW packages will be installed:
  libpam-radius-auth
0 upgraded, 1 newly installed, 0 to remove and 338 not upgraded.
Need to get 25.9 kB of archives.
After this operation, 101 kB of additional disk space will be used.
.
.
.
Fetched 25.9 kB in 1s (24.0 kB/s)       
Preconfiguring packages ...
Selecting previously unselected package libpam-radius-auth.
(Reading database ... 172193 files and directories currently installed.)
Preparing to unpack .../libpam-radius-auth_1.3.17-0ubuntu4_amd64.deb ...
Unpacking libpam-radius-auth (1.3.17-0ubuntu4) ...
Setting up libpam-radius-auth (1.3.17-0ubuntu4) ...

Open the configuration file, set the IP and Shared secret by using the following command.

root@linuxhelp:~# nano /etc/pam_radius_auth.conf
# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
radius_server_IP   secret             3
#

Open the sudo file and add the following line into it.

root@linuxhelp:~# nano /etc/pam.d/sudo
auth sufficient pam_radius_auth.so

Thus configuring the two-factor authentication for Ubuntu is completed with three simple steps.

Tags:

Author:

Comments ( 0 )

No comments available

Add a comment

Frequently asked questions ( 5 )

How to resolve Compliling error on configure two-factor authentication using sudo in Linux?

Make sure all the dependent packages are installed successfully for two-factor authentication using sudo in Linux

How to fix "gcc required". error while configuring two-factor authentication using sudo in Linux

Install gcc compiler also verify whether it is crashed If crashed remove and reinstall gcc compiler while onfiguring two-factor authentication using sudo in Linux

What are the dependencies required for configuring two-factor authentication using sudo in Linux?

The following dependencies required for configuring two-factor authentication using sudo in Linux

make
gcc
pam
pam-devel

How to trigger the installation of pam radius while configuring two-factor authentication using sudo in Linux?

Run the following command to start installing pam radius while configuring two-factor authentication using sudo in Linux.

#cd pam_radius-1.4.0/
.#/configure

Navigate into folder and configure as follows

Where i need to put the pam radius configuration file while configuring two-factor authentication using sudo in Linux?

You can drop the configuration file on the /etc locatoin while configuring two-factor authentication using sudo in Linux

Rank

User

Points

Top Contributers

naveelansari

135850

Top Contributers

ayanbhatti

92510

Top Contributers

hamzaahmed

32150

Top Contributers

linuxhelp

31035

Top Contributers

muhammadali

24500

Can you help Andrew ?

Graphical tool for file manager in cpanel

Is there any file managers to access the config files like sshd_config etc, graphically in cpanel server.... If there is any guide with the installation.