As IT Consultant I’m costantly looking for solutions that can help my customers (and me too!) to have a more proficient , effective IT management. Sometime they think they need complex and expensive solutions to protect and enhance the access to their data, but often the solution is easy and secure. At this time, a customer ask me to implement a “more secure” access to a SSH/SFTP server, so i tested the OTP solution provided by Secure Pass.
Secure Pass is a identity management system on the cloud and provided as a SaaS (Software as a Service). The implementation was extremely fast and easy, so i decided to make this essential how-to to explain how it works.
We have very small pre-requisites for this test/tutorial i used:
- Ubuntu Server, with ssh enabled and working
- If not already installed, you need the libpam-radius-auth library
(you can easily verify it to check for pam_radius_auth.so presence in /lib/security
otherwhise simply do an apt-get install libpam-radius-auth)
- A Secure Pass account and a same-name user account on the server
At first step, we log in to the SecurePass site to configure a new device.
As showed in picture, we only need to set the public IP Address of the server, a fully qualified domain name (FQDN), and the secret password for the radius authentication.After completion we get a small recap of the already created device.
At this point, we can log in to the server to configure the radius authentication.
pick your favourite editor to open /etc/pam_radius_auth.conf and add, at the end of the file the following lines
radius1.secure-pass.net secret 3
radius2.secure-pass.net secret 3
Of course the “secret” is the same we have set up on the secure-pass site
beyond this point we need to configure the PAM to correct manage the authentication.
Pick up again an editor and open /etc/pam.d/common-auth
we have to setup two simple lines:
auth<-->[success=1 default=ignore]<---->pam_unix.so nullok_secure try_first_pass
That’s all! You are now ready to log in to your system using the combination user + OTP Password! Easy, isn’t ?
OTP can be provided by a phisical token or, like in this case, by the dedicated Android App
as showed in the photo.