Upload
lamngoc
View
223
Download
2
Embed Size (px)
Citation preview
Applies to: IDENTIKEY Authentication Server
KB 160083– 11/03/2016 2016 VASCO Data Security. All rights reserved.
Page 1 of 9
KB 160083
Authenticate vsftpd (a secure FTP server for UNIX-
like systems) with IDENTIKEY Authentication Sever
Creation date: 11/03/2016 Last Review: 11/03/2016 Revision number: 2
Summary
PAM RADIUS allows any PAM-capable machine to become a RADIUS client for
authentication and accounting request. PAM RADIUS can be downloaded from
ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz
vsftpd is a GPL licensed FTP server for UNIX systems, including Linux. It is
secure and extremely fast. https://security.appspot.com/vsftpd.html
This document describes the process on CentOS 6.6
details.
First confirm vsftpd is working before attempting to configure PAM RADIUS
with IDENTIKEY Authentication Server (IAS)
Install development tools
yum install gcc pam pam-devel make –y
Compile the package
1. Download PAM RADIUS from ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz
2. tar xvzf pam_radius-1.3.17.tar.gz 3. cd pam_radius-1.3.17 4. make 5. Move the newly created pam_radius_auth.so file. For 64 bit OS, copy this file to
/lib64/security folder. For 32bit OS, copy this file to /lib/security/ folder.
Configure vsftpd to use PAM RADIUS
1. Open /etc/pam.d/vsftpd a. add auth required pam_radius_auth.so as shown in the following image
i. To enforce multi-factor authentication use required b. comment the line containing auth include password-auth
Document type: How To Security status: EXTERNAL
Applies to: IDENTIKEY Authentication Server
KB 160083– 11/03/2016 2016 VASCO Data Security. All rights reserved.
Page 2 of 9
Configure the PAM RADIUS to send the authentications to the IDENTIKEY
Authentication Server (IAS)
1. Create the /etc/raddb directory
mkdir /etc/raddb
2. Create a file called server in the /etc/raddb/ directory and add the connection details for IAS. See the following for an example.
# server[:port] shared_secret timeout (s)
192.168.17.17:1812 Test1234 3
IDENTIKEY Authentication Server Configuration
1. Logon to the IDENTIKEY Authentication Server Web Administration
https://localhost:8443/
2. Hover your mouse above the Clients tab and select Register.
Applies to: IDENTIKEY Authentication Server
KB 160083– 11/03/2016 2016 VASCO Data Security. All rights reserved.
Page 3 of 9
3. Configure the client • Client Type: RADIUS Client
• Location: IP of the system where PAM RADIUS is installed
• Policy ID: Select desired policy. In this example we will use
local authentication only. Meaning a DIGIPASS with PIN functionality
enabled will be used to achieve multi-factor authentication. The user
will enter PIN+OTP. For example 1234 for PIN and OTP 555555
(1234555555)
• Protocol ID: RADIUS
• Shared Secret: The Shared Secret must be the same as the one stored in the /etc/raddb/server on the Linux Server.
• Character Encoding: UTF-8
Applies to: IDENTIKEY Authentication Server
KB 160083– 11/03/2016 2016 VASCO Data Security. All rights reserved.
Page 4 of 9
Create the user in IAS
1. Hover your mouse above the User’s tab and select Create
Applies to: IDENTIKEY Authentication Server
KB 160083– 11/03/2016 2016 VASCO Data Security. All rights reserved.
Page 5 of 9
2. Enter the user information and select the Create button
Assign a DIGIPASS
1. Hover above the Users tab and select list 2. Select the checkbox to the left of the user 3. Select the Assign DIGIPASS button
Applies to: IDENTIKEY Authentication Server
KB 160083– 11/03/2016 2016 VASCO Data Security. All rights reserved.
Page 6 of 9
4. If you know the serial number of the DIGIPASS you can enter that in the field or you can select the Search now to select DIGIPASS to assign radio button to
select a DIGIPASS. Slick the Next button to continue.
5. Select the checkbox to the left of the DIGIPASS and select the Next button to continue
Applies to: IDENTIKEY Authentication Server
KB 160083– 11/03/2016 2016 VASCO Data Security. All rights reserved.
Page 7 of 9
6. Select the desired options and select the Options button to continue.
7. Select the Finish button to continue.
Applies to: IDENTIKEY Authentication Server
KB 160083– 11/03/2016 2016 VASCO Data Security. All rights reserved.
Page 8 of 9
Test vsftpd Authentication to IAS
1. Open a terminal window 2. Connect to ftp with the following command ftp ip-address and press enter 3. Type username and press enter 4. Type the DIGIPASS PIN+OTP if using local auth with a PIN enabled DIGIPASS
5. Verify the authentication in the IDENTIKEY Audit Viewer or IAS tracing
Applies to: IDENTIKEY Authentication Server
KB 160083– 11/03/2016 2016 VASCO Data Security. All rights reserved.
Page 9 of 9