CentOS 7. Installing and configuring Pam Radius.

Here is a third part about how to install and configure two factor authentication using open source solution.

In the first article we have installed LinOTP2 server.
In the second article FreeRadius has been installed and configured to work with LinOTP.

Now we are going to install and configure pam radius on our CentOS 7 Server.
Add epel repository and past our radius server ip and their secret into config

insert following line

should be looks like:

Now add user for wich token already enrolled.

Lets try to access this host by ssh:

And now we are done.
Have a nice day.

LinOTP. FreeRadius Server Integration.

Hi Everyone,

We will install and pair freeradius with linotp here.
You can split free radius to another server if you want.

Remove Default Config File and create new one with our client ip and secret

Now change URL to your IP and change REALM name to realm that you create in first part:

To test radius from client (CentOS 7) in my case 172.17.14.29, you should run:

If access will be granted then You are succesfully installed and pair freeradius with LinOTP:

MTokarev-username 607918-MyPasscode 172.17.14.103-Radius server IP 0-Port (Just Leave without changes) 11122928-Your client secret

On the next part We’ll configure client host to use PAM Radius and will try to authenticate with OTP.

Two Factor Authentication. Installing LinOTP. Step-By-Step Guide.

Welcome to first part of “How to install One Time Password Authentication.” series.

Here is my test lab:

deb7.digitalbears.net 172.17.14.103 LinOTP Server+FreeRadius on Debian 7.9
client1.digitalbears.net 172.17.14.29 Client on CentOS7

LinOTP Server require database to store tokens and web server to provide management interface.

LinOTP support following identity sources such as LDAP, SQL, file (/etc/passwd for ex.) – this is called UserIDResolvers.

You can combine UserIDResolvers into Realms, this will help you to apply policies to Realms.

We will use LDAP UserIDResolver in our lab and pair it to newly created Realm.
At the end of this article we will be able to create and assign tokens to LDAP users. I will use “Microsoft Authenticator” as my software token (Google Authenticator also supported).

Let’s start.

Set password for MySQL Root account

0

Lets Create DB for LinOTP

Now We need add repository for LinOTP

Click yes to install Apache2.
Specify password for management console (digest authentification will be configured for management web console).

1

Agree with certification generation promt.

2
Select MySQL as token database.

3
We will store MySQL database on same host, so click OK.

4
You can change DB name if you want.

5

Specify password for db user.

All settings will be stored into /etc/linotp2/linotp.ini

Now you can access LinOTP by url: https://172.17.14.103/manage/

6
Use username admin and password which you specified above.
Select LDAP from ResolversType. When you click save and close Realm creation will be started automatically.

7

8

Click NEW, Hold CTRL button and select Resolver you just created.

9

Now you should see all users from LDAP server.
Let’s assign token to my user. Select user and click Enroll (You can set OTP Pin if you want, by default user should be enter OTPPin and OTP
Passcode to get access. If OTP Pin 123456 and Passcode from your token 333444 then you should use 123456333444).

10

Time must be synchronized across your devices because token time based.

Click Enroll and scan QRcode from your application and you are done.

11

You can test your deployment by accessing:

https://172.17.14.103/validate/check?user=MTokarev&pass=123456526027

My OTP Pin is 123456 and OTP Passcode 526027

wp_ss_20160122_0002

 

You should see status and value true in case of success.

12

In the next part We will install FreeRadius Server and integrate it with LinOTP.
Then we install PAM into our client and point it to Radius server.

Part-2-Installing and configuring freeradius server.

Have a nice day.

How to centralize local administrators password change (LAPS).

Dear All,

I’ve written an article about how to change password for local admins without using scripts (net user for ex.) in GPO which will contain password in plain text.
MS has been released a better way to do it: Local Administrator Password Solution (LAPS).

Now if you share local admin for someone (or if password for admin will be decrypted), he can’t use it to access another computers because each computer has own randomized pass.

Here is some magic about how it works:

LAPS extend active directory schema with two new attributes
1) ms-Mcs-AdmPwd- will store password in clear text (by default only domain admins can read this, you can delegate access to help desk for example).
2) ms-Mcs-AdmPwdExpirationTime- when password for local admin will be expired and changed to new value.

You should install Group Policy Extension to computers that you planning to manage. You can do it by Group Policy or by SCCM.
To create a Group Policy you should install LAPS with GPO Templates on machine from which group policy will be created.

Also you should grant write access to computers to write it’s own attribute.

I will do all tasks from Domain Controller. You can download LAPS from here: x64 and  x86 or from Microsoft.

Let’s start:

Install LAPS with all management tools enabled

2

Run powershell with user who has Schema Admin access and run

3

To check who can view password you can run

4

Let’s allow computers write access

5

Now only domain admins can get local admin passwords. You can delegate access to any security group

6

You must install clients which will extend you GPE. You can do it by GPO.

Here is a cmdline to quite installation:

Now you need to create GPO

10

After computer update their policy you can check password for local admin from LAPS UI

8

Or from powershell with Active Directory module

9

 

Finding Domain Admins Computers.

Found good util which will help you to find where is admins logged in.
When hackers or security audit gain access to regular computer this tool can be used to determine next target which contain admin credentials (then this can be used for pass-the-hash attack).

Here is what you will see when program will be executed (no domain admin rights required to run):

You can download NetSess here