Upload
others
View
30
Download
0
Embed Size (px)
Citation preview
WHITE PAPER
Configuring Ping Authentication Quick Guide for PBPS, PBW, PBUL and PBIS
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
1
Contents Configuring Ping Authentication for PowerBroker Password Safe Using RADIUS .....................................2
Configuring Ping Authentication for PowerBroker for Windows Using RADIUS .......................................9
Configuring Ping Authentication for PowerBroker for Unix and Linux, and PBIS, Using RADIUS .............. 14
Configuring PBUL....................................................................................................................... 14
Testing the Configuration........................................................................................................... 16
Configuring Ping Authentication for PowerBroker Password Safe Direct Connect ................................. 18
Configuring Ping Authentication for PowerBroker Password Safe Using SAML ...................................... 21
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
2
Configuring Ping Authentication for PowerBroker Password Safe Using
RADIUS
Download and install the PingFederate server, and access the console.
1. Ping Console.
For more information, see https://documentation.pingidentity.com/pingfederate/pf90/#gettingStartedGuide/concept/gettingStarted.html
For configuring RADIUS, see https://docs.pingidentity.com/bundle/pid_sm_VPN_pingid/page/configuringRADIUSServerOnPingFederate.html
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
3
2. Configure clients.
3. Configure port and copy properties file (obtained via PingOne dashboard). You may need to request
an evaluation for PingOne.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
4
4. Configure Active Directory. You should see a Credential Validation instance like the one shown.
5. In BeyondInsight, configure RADIUS Authentication.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
5
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
6
6. Create a test Group in AD, add test user, and import in BeyondInsight. Configure test user for
RADIUS.
7. Log on to BeyondInsight with your test user.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
7
8. Use the mobile or another version of the Ping App (Windows is shown) to obtain the passcode.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
8
After providing the passcode and clicking OK, you should be logged on to Password Safe.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
9
Configuring Ping Authentication for PowerBroker for Windows Using
RADIUS
1. Using Group Policy Editor, or Policy Editor, create the Multifactor record. Increase timeout to 30 or
60 seconds, enter the shared secret you selected for Ping RADIUS Server, and select Username and
Password for Initial Request.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
10
2. Create a user message.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
11
3. Create a test Privileged Identity rule for an application.
4. Create a shortcut for C:\Windows\system32\xwizard.exe on your desktop.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
12
5. When you start the application, you should see the User Message for Ping. Enter the code and click
OK.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
13
The test application starts.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
14
Configuring Ping Authentication for PowerBroker for Unix and Linux,
and PBIS, Using RADIUS
To configure your Unix or Linux host for PAM/RADIUS authentication, you can follow the steps below.
1. Copy the pam_radius_auth module from /usr/lib/beyondtrust/pb to
/lib64/security/pam_radius_auth.so
2. Create a config file for your PAM server: /etc/raddb/server
Format is: ip_address:port sharedsecret timeout
For example: dc01:1812 btlab16* 60
3. Edit /etc/pam.d/sshd as follow:
auth required pam_radius_auth.so
account required pam_radius_auth.so
password required pam_radius_auth.so
auth substack password-auth
auth include postlogin
----------------------
4. You may need to change /etc/ssh/sshd_config to allow for PAM(UsePam yes).
If PAM is not yet available on the Unix or Linux host, follow the steps in above document to install it
using yum.
5. Restart sshd for ssh configuration to take effect: service sshd restart
Note: If you plan to use Password Safe with Ping, configuring the host for PAM/RADIUS will be redundant.
Configuring PBUL
We will configure and test one Use Case around pbrun and a privileged command. These steps are
based on CentOS 64 bit.
1. Copy the pam_radius_auth module from /usr/lib/beyondtrust/pb to
/lib64/security/pam_radius_auth.so
2. Create a config file for your PAM server: /etc/raddb/server
3. Create file pbul_pam_radius under /etc/pam.d :
#task control module
auth required pam_radius_auth.so
account required pam_radius_auth.so
password required pam_radius_auth.so
-----------
Then you can configure a role, e.g. DemoRole, to allow elevated commands and use PAM.
4. In /etc/pb/pbul_functions.conf, add this section:
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
15
# Procedure DemoRole:
# If 'EnableDemoRole' is enabled, it allows any user in DemoUsers (default all users) to run
commands in DemoCommands (default 'id' and 'whoami') as 'root'
#
procedure DemoRole()
{
if ( EnableDemoRole && user in DemoUsers && (runhost in DemoHosts ||
TargetRunHostShortName in DemoHosts) && basename(command) in DemoCommands )
{
SetRunEnv("root", true);
accept;
}
}
----------------------
5. In /etc/pb/pbul_policy.conf, add this section:
# This enables "Demo role", which allows any user in DemoUsers (default all users) to run
commands in DemoCommands (default 'id' and 'whoami') as 'root'
# on any host in DemoHosts (default all hosts)
# By default, this role is disabled. To ensable this set EnableDemoRole to true below.
#
# IMPORTANT: note that ANY command in the list of DemoCommands will run as 'root'.
#
EnableDemoRole = true;
DemoUsers = {"amiller","jsmith1"};
DemoCommands = {"id", "whoami","useradd","userdel"};
DemoHosts = {runhost, TargetRunHostShortName};
runconfirmuser = "btuapi";
runconfirmpasswdservice = "pbul_pam_radius";
DemoRole();
6. Create a user on your Unix or Linux host to match the user in Ping, e.g. jsmith1 in above example.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
16
Testing the Configuration
You are ready to test the configuration.
1. Use Putty to log on to Linux server as jsmith1.
2. Privileged command useradd: Permission denied.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
17
3. Using pbrun, PAM/RADIUS authentication is triggered. Once authenticated, command executes and
user backdoor is created.
4. Then you should be authenticated.
Since userdel command is also included in policy, we can follow the same steps for userdel.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
18
Configuring Ping Authentication for PowerBroker Password Safe Direct
Connect
For Direct Connect, we can use the Ping. In our lab, we used Phone/Standard, so we only need to answer the call and press # to get authenticated.
For SSH Sessions, we can configure Putty or the tool of our choice with a SSH link similar to the following:
btlab\jping@mdavis_uadmin@lserver01@bi01
Port is 4422 by defaut, which is the port for the PBPS Proxy, not 22, which is the port behind the proxy, for the target host.
mdavis_uadmin is the managed account for lserver01, and bi01 is my PBPS Proxy.
My test user with the app on its mobile is an Active Directory user in my lab.
1. RADIUS configuration for test user jping.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
19
2. Figure 2: MTPutty configuration.
3. Direct Connect session in Multi-tab Putty.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
20
4. Direct Connect RDP. Type password,code.
5. Session starts.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
21
Configuring Ping Authentication for PowerBroker Password Safe Using
SAML
This section is generic, steps may be slightly different. Refer to Ping documentation.
1. Log on to the Ping Portal.
2. Click Add Application.
3. Click Create New App.
4. Select SAML 2.0 as the sign in method.
5. Click Create.
6. Enter an application name.
7. Click Next.
8. Enter Single sign on URL
https://ServerURL/eEye.RetinaCSSAML/saml/AssertionConsumerService.aspx
9. Select the check box Use this for Recipient and Destination URL.
10. Enter Audience URI (SP Entity ID)
https://ServerURL/eEye.RetinaCSSAML
11. Select test username from the Application username menu.
12. Add attributes:
• Group (Required) set as literal. This must match the group created in BeyondInsight.
• Name (Required)
• Email (Optional)
• Surname (Optional)
• GivenName (Optional)
13. Click Next.
14. Select appropriate settings for Ping support and click Finish.
15. Click View Setup Instructions.
16. Copy the Identity Provider Single Sign-On URL. Save the value to be used in step 21.
17. Copy the Identity Provider Issuer. Save the value to be used in next step 21.
18. Click Download Certificate and save this on the BeyondInsight server in
C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\Certificates
19. Rename the certificate to “Ping.cer”.
20. Open the saml.config file:
C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\saml.config
21. In Notepad, edit ServiceProvider Name:
• edit PartnerIdentityProvider Name: Identity Provider Issuer from step 17.
• edit SingleSignOnServiceUrl: Identity Provider Single Sign-On URL from step 16.
• edit SingleLogoutServiceUrl: Identity Provider Single Sign-On URL from step 16.
Configuring Ping: Quick Guide for PBPS, PBW, PBUL and PBIS © 2018. BeyondTrust Software, Inc.
22
22. Save the saml.config file.
23. Open the web.config file:
C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\web.config
24. In Notepad, edit the PartnerIdP value: Identity Provider Issuer from step 17.
25. Save the web.config file.