KB 160083 - VASCO | Delivering Trust to the Digital World//ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz vsftpd is a GPL licensed FTP server for UNIX systems, including Linux

Applies to: IDENTIKEY Authentication Server

KB 160083– 11/03/2016 2016 VASCO Data Security. All rights reserved.

Page 1 of 9

KB 160083

Authenticate vsftpd (a secure FTP server for UNIX-

like systems) with IDENTIKEY Authentication Sever

Creation date: 11/03/2016 Last Review: 11/03/2016 Revision number: 2

Summary

PAM RADIUS allows any PAM-capable machine to become a RADIUS client for

authentication and accounting request. PAM RADIUS can be downloaded from

ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz

vsftpd is a GPL licensed FTP server for UNIX systems, including Linux. It is

secure and extremely fast. https://security.appspot.com/vsftpd.html

This document describes the process on CentOS 6.6

details.

First confirm vsftpd is working before attempting to configure PAM RADIUS

with IDENTIKEY Authentication Server (IAS)

Install development tools

yum install gcc pam pam-devel make –y

Compile the package

1. Download PAM RADIUS from ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz

2. tar xvzf pam_radius-1.3.17.tar.gz 3. cd pam_radius-1.3.17 4. make 5. Move the newly created pam_radius_auth.so file. For 64 bit OS, copy this file to

/lib64/security folder. For 32bit OS, copy this file to /lib/security/ folder.

Configure vsftpd to use PAM RADIUS

1. Open /etc/pam.d/vsftpd a. add auth required pam_radius_auth.so as shown in the following image

i. To enforce multi-factor authentication use required b. comment the line containing auth include password-auth

Document type: How To Security status: EXTERNAL



Page 2 of 9

Configure the PAM RADIUS to send the authentications to the IDENTIKEY

Authentication Server (IAS)

1. Create the /etc/raddb directory

mkdir /etc/raddb

2. Create a file called server in the /etc/raddb/ directory and add the connection details for IAS. See the following for an example.

# server[:port] shared_secret timeout (s)

192.168.17.17:1812 Test1234 3

IDENTIKEY Authentication Server Configuration

1. Logon to the IDENTIKEY Authentication Server Web Administration

https://localhost:8443/

2. Hover your mouse above the Clients tab and select Register.



Page 3 of 9

3. Configure the client • Client Type: RADIUS Client

• Location: IP of the system where PAM RADIUS is installed

• Policy ID: Select desired policy. In this example we will use

local authentication only. Meaning a DIGIPASS with PIN functionality

enabled will be used to achieve multi-factor authentication. The user

will enter PIN+OTP. For example 1234 for PIN and OTP 555555

(1234555555)

• Protocol ID: RADIUS

• Shared Secret: The Shared Secret must be the same as the one stored in the /etc/raddb/server on the Linux Server.

• Character Encoding: UTF-8



Page 4 of 9

Create the user in IAS

1. Hover your mouse above the User’s tab and select Create



Page 5 of 9

2. Enter the user information and select the Create button

Assign a DIGIPASS

1. Hover above the Users tab and select list 2. Select the checkbox to the left of the user 3. Select the Assign DIGIPASS button



Page 6 of 9

4. If you know the serial number of the DIGIPASS you can enter that in the field or you can select the Search now to select DIGIPASS to assign radio button to

select a DIGIPASS. Slick the Next button to continue.

5. Select the checkbox to the left of the DIGIPASS and select the Next button to continue



Page 7 of 9

6. Select the desired options and select the Options button to continue.

7. Select the Finish button to continue.



Page 8 of 9

Test vsftpd Authentication to IAS

1. Open a terminal window 2. Connect to ftp with the following command ftp ip-address and press enter 3. Type username and press enter 4. Type the DIGIPASS PIN+OTP if using local auth with a PIN enabled DIGIPASS

5. Verify the authentication in the IDENTIKEY Audit Viewer or IAS tracing



Page 9 of 9

Documents

KB 160083 - VASCO | Delivering Trust to the Digital World//ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz vsftpd is a GPL licensed FTP server for UNIX systems, including Linux