Increasingly, whether due to regulatory requirements or a basic recognition that static passwords just don't provide adequate security, organizations are implementing some form of strong authentication. Like all new efforts, before you start you want to be reasonably assured that you will succeed. In this tutorial we will document how to add two-factor authentication to various Microsoft remote access solutions through the Windows Server 2008网络策略服务器。对于双因素身份验证,我们将使用WiKID强认证服务器 - 企业版。WiKID是双源,基于软件的双因素身份验证系统。虽然该文件是特定产品,过程通常是相同的,无论产品。
Assume that you have a mixed OS environment with some Windows, some Linux/Unix. You have a new requirement for two-factor authentication to meet PCI requirements. You intend to protect all key systems, which are mostly linux and you are going to lock down your remote desktop with two-factor authentication too (though we will only discuss the SSH here). The plan is to create an SSH gateway server that is locked down with two-factor authentication. Admins can then jump from the gateway box to other servers using public key authentication.
SSH offers a highly secure channel for remote administration of servers. However, since you face an audit for PCI, you have become aware of some potential authentication related short-comings that may cause headaches in an audit. For example:
*有没有办法控制哪些用户拥有公钥授权
* There is no way to enforce passphrase complexity (or even be sure that one is being used)
* There is no way to expire a public key
Additionally, your intention is to add two-factor authentication to other services, such as RDP and a VPN. There is great benefit in having a single two-factor authentication service for all those services and SSH keys will not work for other services.
An overview
After everything is configured, the system will work like this: The user generates a one-time passcode from their WiKID software token. They enter it into the SSH password field. The credentials are passed from the SSH gateway to NPS via radius. NPS validates that the user is active in AD and in the proper group. If so, it sends the username and one-time password to the WiKID Strong Authentication Server still using Radius. If the OTP is valid, the WiKID server responds to the NPS, which in turn responds to the SSH gateway server and the user is granted access. Note that this process is only for authentication, session management is still handled by the SSH gateway or any other remote access service you are using.
首先,我们将启用Windows Server 2008网络策略服务器(NPS)
添加“网络策略和访问服务”角色到域控制器。
在安装期间启用这些角色服务:
* Network Policy Server
*路由和远程访问服务
*远程访问服务
*路由
Next we add a new RADIUS Client - The SSH Gateway in this case.
从管理工具中选择网络策略服务器
在RADIUS客户端,并选择New右击
添加一个名字,你的远程访问服务器(RAS,VPN等)的IP地址,并创建一个共享的秘密。您将进入WiKID服务器在同一个共享密钥。
单击确定
Add a new Radius Server - The WiKID Strong Authentication Server
Right click on Remote RADIUS servers and name the group, something like "WiKID".
点击添加按钮,该组中添加一个新的RADIUS服务器。
第一个选项卡上输入WiKID服务器的IP地址。在第二个选项卡,输入共享秘密。这应该是所有你需要改变。
创建网络策略
现在,我们已经创建RADIUS客户端和RADIUS服务器(WiKID),我们需要一个新的网络策略,告诉IAS哪些用户可以代理到WiKID。
Enter a name and leave Type of network access server as Unspecified or choose your remote access system.
Click on the Conditions tab. I added a condition for all requests from my server's IP address.
Click on the Settings Page. Click on Authentication and Select the button for "Forward requests to the following remote RADIUS server group for authentication. Choose WiKID.
配置WiKID强认证服务器。
Now that we've configured the NPS to proxy authentications, we need to configure WiKID to accept them. See theWiKID安装手册for the details on how to install and configure the WiKID server. Here we're just going to be adding a radius network client for the NPS:
登录到WiKIDAdmin Web界面。
Click on the Network Clients tab.
Click on "Create New Network Client". Give the Network Client a name, specify the IP address, select Radius as the protocol and choose which WiKID Domain to use. (WiKID domains hold the users and specify certain security parameters such as PIN length, the lifetime of the one-time passcodes, max bad PIN/passcode attempts, etc.)
Click Add
在接下来的页面中,输入共享密码。这是您在NPS中的NPS“添加Radius服务器”步骤的第二选项卡中输入上述相同的秘密。要确保这些匹配!WiKID支持添加半径回报在网络客户端水平和每个用户组级别的属性,但是,超出了本文的范围。
You will get a notice that the network client has been added. You will need to restart the WiKID server from the command line. This loads the network client into the radius interface and opens the radius ports on the built-in WiKID firewall.
#wikidctl重启
Configuring the SSH Gateway Server
Configure the SSH Gateway
Now we will configure the central SSH gateway. This linux box is the gateway/proxy to all the production servers in the farm. It should be locked down tight with no extraneous software or services running on it. It should have an external interface for in-bound connections and an internal interface for internal connections. First, we will configure the gateway box to use WiKID for strong authentication of SSH users.
首先安装PAM半径。The PAM Radius home page is这里。
Download the tar file (as of this writing1.3.17 was the latest).
Run:
$ make
Copy the resulting shared library to /lib/security.
$ sudo cp pam_radius_auth.so /lib/security/
Edit /etc/pam.d/sshd to allow Radius authentication.
$ sudo的VI上将/etc/pam.d/sshd
N.B.: Distributions of linux have different pam.d file formats.Please check with your distribution for specific suggestions. These instructions work for Fedora/Redhat/Centos.
Go to the first line of the file, hit the Insert key or the i key and insert this line.
auth sufficient /lib/security/pam_radius_auth.so
在“足够的”标记表明,如果在Radius认证成功,那么将不需要额外的认证。然而,如果Radius验证失败时,来自系统的用户名和密码会工作。使用“必要”,要求强认证。
写文件并退出。我按Esc键退出nsert mode and type ':wq'
Edit or create your /etc/raddb/server file. There is a sample这里。
vi /etc/raddb/server
Below the line:
127.0.0.1 secret 1
添加这一行,用您routableIPAddress:
routableIPaddress shared_secret 1
The routeableIPaddress is the IP address of your NPS server.
Edit your /etc/pam.d/sshd file thusly:
#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so
auth include system-auth
帐户所需pam_nologin.so
账户包括系统身份验证
密码包含系统身份验证
会议包括系统身份验证
session required pam_loginuid.so
您WiKID服务器添加到在/ etc / raddb /服务器文件,使用WiKID服务器和您在网络客户端创建页面输入的共享秘密的内部IP地址:
#服务器[:端口] shared_secret超时(S)
127.0.0.1 secret 1
xxx.xxx.xxx.xx wikidserver_secret 3
让我们添加一些安全配置SSH这里。打开你的/ etc / SSH / sshd_config中(而不是附近的ssh_config文件)。添加这些配置选项:
#Protocol 2,1
#检查,只有协议2被允许:
协议2
#Disallow root login:
PermitRootLogin no
#不允许账户没有密码:
PermitEmptyPasswords没有
如果要更改端口就可以了。它不会停止攻击,但它可能会削减所造成的脚本小子日志事件。该网关框设为使用WiKID一次性密码的SSH认证。所有用户必须与WiKID服务器上注册,没有人可以以root身份登录。在我们离开这个框,我们会做的东西是有点不同 - 我们将有用户创建的网关的RSA私钥。一旦每个用户签订与WiKID盒子,让他们建立自己的钥匙:
class="command">ssh-keygen -t rsa
在我看来,这些密钥密码短语是多余的。他们在这里只创建功能的单点登录到服务器群。很显然,你必须小心,以确保用户不访问其他键。
Configure the target servers
显然,我们配置这些服务器仅接受来自网关的传入SSH请求。我们通过限制对我们的内部地址的端口22访问做到这一点。编辑/ etc / SYSCONFIG / iptables和对SSH端口22上添加或编辑的行:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
Running the WiKID Software token
Start the WiKID token and select the Domain associated with the SSH Gateway. Then enter the PIN and you will get back the one-time passcode. The OTP is time-bounded, but the time can be set on the WiKID server to whatever you want.
The user simply enters the one-time passcode when prompted by SSH.
The token can also be run from the command line, which is quote convenient for SSH:
java -cp jWiKID-3.1.3.jar:jwcl.jar com.wikidsystems.jw.JWcl domainid
Were domainid is the 12 digit domain identifier.
结论
Many organizations are facing increased compliance and regulation. Additionally, environments are becoming more and more heterogenous and the Internet is becoming more and more dangerous. At the same time, users need more access and want to telecommute more, which is good from a disaster recovery perspective.
虽然本教程主要集中在增加双因素身份验证SSH,一个未声明的概念是,你选择半径作为网络认证标准。这是一个很好的一个。大多数的VPN,远程桌面系统,网络服务器和其他远程访问服务支持半径。现在,当你要与双因素身份验证添加新的服务,你必须要考虑的是“是否支持RADIUS的?”。如果是的话,那么所有你需要做的就是这点NPS服务器。如果你使用FREERADIUS或其他一些Radius服务器同样如此。
For more information on WiKID's two-factor authentication system,请访问我们的网站。
This story, "Two-factor authentication through Windows Server 2008 NPS" was originally published byCSO 。