Enable Multi-Factor Authentication for OpenVPN


Google Authenticator and OpenVPN

Google Authenticator and OpenVPN

In my previous post, we went over how to get Google Authenticator installed on FreeNAS.  Then we setup SSH to use it.  In this guide, we’ll get Multi-Factor Authentication working for OpenVPN.  This guide will be specific to FreeNAS, but should be applicable to FreeBSD as well.

Part I

Get Google Authenticator installed and setup for users

Go see my previous guide on getting Google Authenticator installed.

Part II

Configure OpenVPN to use both certificates and an OTP (one time password) provided by Google Authenticator.

1. Open a terminal either through the GUI or ssh.

2. Switch user to root.

 su
 enter root password

3. Mount the file system and make it writeable

 mount -uw /

4. First we need to create an entry for openvpn under /etc/pam.d This will tell OpenVPN that authentication with the pam_google_authenticator.so module is required.  Also need to remember to copy this file to /conf/base/etc/pam.d so that our change will survive a reboot.

touch /etc/pam.d/openvpn

printf "auth required /usr/local/lib/pam_google_authenticator.so" >> /etc/pam.d/openvpn

cp /etc/pam.d/openvpn /conf/base/etc/pam.d/openvpn

5. Check to make sure the permissions are correct on the pam_google_authenticator.so module.  sshd doesn’t seem to care, but OpenVPN does seem to care.  Side note, there are several guides written for Linux that say you have to modify the MakeFile with LDFLAGS=”-lpam” when building the pam_google_authenticator.so module.  That is NOT the case in FreeNAS / FreeBSD as the port takes care of that.

chmod 555 /usr/local/lib/pam_google_authenticator.so

6. Now we need to add a few settings to our OpenVPN server config.  If you followed my guide on setting up OpenVPN on FreeNAS, your server config is on your data drive.  Change the part after the “>>” to match your setup.

printf "\n#Enable Multi-Factor Authentication\n" >> /mnt/Files/openvpn/openvpn.conf

printf "plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn\n\n" >> /mnt/Files/openvpn/openvpn.conf

printf "#Prevent re-authorization every 3600 seconds\n" >> /mnt/Files/openvpn/openvpn.conf

printf "reneg-sec 0\n\n" >> /mnt/Files/openvpn/openvpn.conf

7. Now, on your client computers, you need to add the following to your openvpn-client config.  You can just add it at the bottom.

#Add this to the client config to enable Multi-Factor Authentication
auth-user-pass

#Prevent the password file from being cached
auth-nocache

8. Now restart openvpn on your FreeNAS box.

service openvpn restart

Your output should look like this:

Stopping openvpn.
Waiting for PIDS: 494.
Starting openvpn.
AUTH-PAM: BACKGROUND: INIT service='openvpn'
add net 10.8.0.0: gateway 10.8.0.2

9. Make the filesystem read only again.

mount -ur /

10. Fire up your VPN connection on a client computer and you should get a field that asks for a username and password in order to connect.

Tunnelblick

 

You will put in your user name for one of the accounts you set up using the google-authenticator command on your FreeNAS server.  The password will just be the 6 digit OTP you get from the Google Authenticator App on your smart phone.  Don’t bother saving it in the keychain.  If everything goes right, you will connect and then see this in your terminal session:

AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: joe
AUTH-PAM: BACKGROUND: my_conv[0] query='Verification code: ' style=1

Part III

Questions and such…

We’ve done it.  We now have multi-factor authentication setup for our VPN.  I’m left wondering though.  Many of the guides I looked at related to this subject said that /etc/pam.d/openvpn needed a lot more in it that what I have used.  For instance, one guide over at askubuntu.com says to use this:

account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 new_authtok_reqd=done default=ignore] pam_winbind.so
account requisite pam_deny.so
account required pam_permit.so
auth required pam_google_authenticator.so

Is all of that account stuff really needed?  My hunch is that it is not.  If you have any insight, please share it in the comments section.

Advertisements

Google Authenticator on FreeNas


Google Authenticator

Multi Factor Authentication is a useful way to tighten the security of your system.  Having it in place means that attackers can’t simply brute force your password, they need to steal your Hardware Authentication device as well.  In the case of Google Authenticator, that means stealing your phone.

Part I Get Google Authenticator installed and setup for users

1. Open a terminal either through the GUI or ssh. 2. Switch user to root.

 su
 enter root password

3. Mount the file system and make it writeable

 mount -uw /

4. Install the libqrencode. This is optional, but is a nice feature as it allows you to “scan” a QR code from the terminal with your smart phone.

pkg_add -r libqrencode

5. Install the Google-Authenticator PAM module

pkg_add -r pam_google_authenticator
chmod 555 /usr/local/lib/pam_google_authenticator.so

6. Install the Google Authenticator App on your smartphone. Google Play Store  Apple App Store Windows Phone – not sure if this works

7. Switch your user to the user you want to have two factor authentication. Then run google-authenticator. If you want to be all fancy, add the -l option and then a quoted string. Without that, when you scan the QR code into your Google Authenticator app it will display with an email@host description.  You can also add the user name at the end if you like.

su joe
google-authenticator -l "JoePaetzel.com:joe"

Output: Do you want authentication tokens to be time-based (y/n) y https://www.google.com/chart?chs=some_long_URL

Screen Shot 2014-05-13 at 9.40.26 AM

Your new secret key is: E3W7AB2KXXXXXX Your verification code is 78XXXX Your emergency scratch codes are: 7967XXXX 1820XXXX 1659XXXX 3623XXXX 3140XXXX Do you want me to update your "/home/joe/.google_authenticator" file (y/n) y

Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) y

By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) n

If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s. Do you want to enable rate-limiting (y/n) y

8. Scan the QR code that was generated into your Google Authenticator app on your smart phone.

9. Repeat steps 7 & 8 for all the users you need to set up.

Part II. Doing something useful with Google Authenticator.

Let’s go ahead and add two factor authentication to SSH. There are several things we need to do to get that accomplished. The quick overview: 1. Make some config changes to sshd_config, some easy, some not so much 2. Tell PAM about the Google Authenticator module and how we want to use it. 3. Your homework is applying the concepts from my post on getting hacks to survive upgrades. Before we do any of that, we need to decide how we want to implement this. In my mind, it makes sense to initially allow users to login to ssh with a public key and either a Google Authenticator code or their user password. This will allow some time for everyone to get set up without any of them getting locked out. Eventually, I’ll probably switch it to require a public key and just the Google Authenticator code. The decision we make here affects how we set the sshd_config parameter AuthenticationMethods, as well as how we configure /etc/pam.d/sshd. For a more in-depth explanation of the options that AuthenticationMethods offers, please see: http://lwn.net/Articles/544640/ For a full explanation of setting up the PAM module in /etc/pm.d/sshd, please see: FreeBSD Man Pages I’ll show you how I have mine set up.

10. We need to make some configuration changes to sshd. One we can make in the terminal, the other we need to do in the FreeNAS gui.

a. Now go back to the terminal, make sure you are root. We need to change the sshd_config file in three places.

/etc/ssh/sshd_config   /etc/ix.rc.d/ix-sshd and /conf/base/etc/ix.rc.d/ix-sshd

We are making the same change in all three places.

The quick way:

sed -i -e 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ssh/sshd_config
sed -i -e 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /etc/ix.rc.d/ix-sshd
sed -i -e 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' /conf/base/etc/ix.rc.d/ix-sshd

The long way (do in each of the three locations):

vi /etc/ssh/sshd_config

Scroll down to: ChallengeResponseAuthentication no

Change the no to yes. To do that in vi, put the cursor over the n in no. Hit “x” twice. Now hit “a” then type “yes”. Hit the esc key to exit insert mode. type “:wq” to write it and quit. Do not type any of the quotes.

*Feature Request*

There is a chance that in future releases all of that will become an option in the gui.

b. Open the FreeNAS gui and go to the Services tab. Click on SSH. Click on Advanced Mode button. In the extra Options Field, type:

AuthenticationMethods publickey,keyboard-interactive

c. Under Services, click on Control Services. Then turn ssh off and then back on. If we did everything right, it should start right up.

11. Now we need to edit the /etc/pam.d/sshd file so that pam knows to use Google Authenticator.  There a couple of options you have for this…like required, requisite or sufficient.  We’ll use sufficient for now so that we have the option of using the Google code or a password.  Later on we will change it to required so that there is no longer the password option.  Here’s what it looks like to start with:

# # $FreeBSD: src/etc/pam.d/sshd,v 1.18 2009/10/05 09:28:54 des Exp $ # # PAM configuration for the "sshd" service #

# auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth required pam_unix.so no_warn try_first_pass

# account account required pam_nologin.so account required pam_login_access.so account required pam_unix.so

# session #session optional pam_ssh.so want_agent session required pam_permit.so

# password password required pam_unix.so no_warn try_first_pass

What we want to do is add “auth sufficient /usr/local/lib/pam_google_authenticator.so” after “#auth sufficient pam_ssh.so no_warn try_first_pass” and before “auth required pam_unix.so no_warn try_first_pass” You can either do it the long way with vi or the quick way with awk

awk '{ print $0; if(NR == 11) printf("auth            sufficient      '/usr/local/lib/pam_google_authenticator.so'\n"); }' /etc/pam.d/sshd > /etc/pam.d/sshd-temp && mv /etc/pam.d/sshd-temp /etc/pam.d/sshd

We should run cat on the file to make sure it turned out the way we want it.

cat /etc/pam.d/sshd

Output should be:

# # $FreeBSD: src/etc/pam.d/sshd,v 1.18 2009/10/05 09:28:54 des Exp $ # # PAM configuration for the "sshd" service #

# auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_google_authenticator.so auth required pam_unix.so no_warn try_first_pass

# account account required pam_nologin.so account required pam_login_access.so account required pam_unix.so

# session #session optional pam_ssh.so want_agent session required pam_permit.so

# password password required pam_unix.so no_warn try_first_pass

Also need to do the same with /conf/base/etc/pam.d/sshd and /conf/base/etc/ix/templates/pam.d/sshd

awk '{ print $0; if(NR == 11) printf("auth            sufficient      '/usr/local/lib/pam_google_authenticator.so'\n"); }' /conf/base/etc/pam.d/sshd > /conf/base/etc/pam.d/sshd-temp && mv /conf/base/etc/pam.d/sshd-temp /conf/base/etc/pam.d/sshd

awk '{ print $0; if(NR == 11) printf("auth            sufficient      '/usr/local/lib/pam_google_authenticator.so'\n"); }' /conf/base/etc/ix/templates/pam.d/sshd > /conf/base/etc/ix/templates/pam.d/sshd-temp && mv /conf/base/etc/ix/templates/pam.d/sshd-temp /conf/base/etc/ix/templates/pam.d/sshd

12. Now go read my article about getting hacks to stick and survive upgrades.  Apply that logic to this hack and enjoy Multi-Factor Authentication even after system upgrades. 13. Change the root folder back to read only.

mount -ur /

Final Thoughts

That should be everything.  Try logging in over ssh and you should get a prompt for your Verification Code

Seven:~ joe$ ssh 192.168.0.122 Authenticated with partial success. Verification code:

I need to give credit to Randy who wrote the foundation for much of this guide over at http://www.nytechgroup.com

http://www.nytechgroup.com/2011/10/05/two-factor-authentication-freebsd/

Make sure to also check out my guide on getting OpenVPN working with Google Authenticator.