Integrating Google Authenticator PAM module with FreeRADIUS Server

I was recently investigating two factor authentication solutions to use with a Watchguard XTM appliance for mobile VPN solutions, to where I came across FreeRADIUS (http://freeradius.org/).

FreeRADIUS server is a daemon of a UNIX (like) operating system which allows for a radius protocol server to be setup.  FreeRADIUS is an open-source project and is developed by the user group “the FreeRADIUS project”.

FreeRADIUS provides support for a pluggable authentication module (PAM) library. Integrating this with Google Authenticator (https://code.google.com/p/google-authenticator/ ) which is a project to provide implementation of one-time passcode (OTP) generators for mobile platforms as well as PAM, will allow for a dual factor solution to be implemented.

The OTP is generated using open standards as developed by http://www.openauthentication.org/. The implementations support the HMAC-Based One-time passcode (HOTP) algorithm (https://tools.ietf.org/html/rfc4226) and the Time-base One-time Password (TOTP) algorithm (https://tools.ietf.org/html/rfc6238).

In order to install and configure the FreeRADIUS server and integrate with the Google Authenticator Pam Module Source, I performed the following steps:

1) Install FreeRADIUS and the required packages:

apt-get install build-essential libpam0g-dev freeradius git libqrencode3

2) Download the Google Authenticator Pam Module Source and build the executable program and libraries from source code.

git clone "https://code.google.com/p/google-authenticator/"
cd google-authenticator/libpam/
make
make install

3) FreeRADIUS is required to run as root in order to access the ‘.google_authenticator’ token in each home directory. This can be modified by editing ‘/etc/freeradius/radiusd.conf, to change the user and group to be root.

user = root
group = root

4)  In order to use the PAM libraries to authenticate users as the default rule, edit ‘/etc/freeradius/users’ to include the following:

DEFAULT        Auth-Type := PAM

5) In order to allow PAM authentication, edit /etc/freeradius/sites-enabled/default to uncomment the following:

#  Pluggable Authentication Modules.
pam

6) PAM is required to use the local Unix password combination with the Google Authenticator password, edit ‘/etc/pam.d/radiusd’ to include the following:

#@include common-auth
#@include common-account
#@include common-password
#@include common-session
auth requisite pam_google_authenticator.so forward_pass
auth requisite pam_google_authenticator.so forward_pass

7) Restart the FreeRADIUS service to apply configuration changes:

service freeradius restart

8) Create a security group to use for RADIUS authentication:

groupadd <group>

As authentication is managed by a combination of the local Unix password and the Google Authenticator password, we will be required to create a user account on the local Unix operating system, create a password and add to the RADIUS security group by performing the following:

adduser <username>
usermod -a -G <group> <username>

Once the user account has been created and added to the security group we will be required to invoke the google-authenticator to generate the google_authenticator token:

cd /home/username
su username
google-authenticator

You will prompted to answer a number of questions in regards to your authentication token. Once completed a QR code and secret key will be created which will allow you to configure the authentication token on your device.

Do you want authentication tokens to be time-based (y/n) </b>_authenticator" file (y/n) 
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n) 
By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems
with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min. Do you want to do so (y/n) </b>
If the computer that you are logging into isn't hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login
attempts every 30s. Do you want to enable rate-limiting (y/n) 

In order to rest authentication locally you can perform the following:

radtest <username> <unix password> <google authenticator token> localhost 18120 <secret key>

If you the above fails and you require to start FreeRadius in debug mode perform the following:

service freeradius stop
freeradius -XXX
Advertisements

4 thoughts on “Integrating Google Authenticator PAM module with FreeRADIUS Server

  1. > 3) FreeRADIUS is required to run as root in order to access the ‘.google_authenticator’ token in each home directory. This can be modified by editing ‘/etc/freeradius/radiusd.conf, to change the user and group to be root.

    Or you could just give freeradius read and execute permissions into user home directories and files with ACLs.

    Like

  2. In order to integrate with FreeRADIUS there is a requirement for root or an account configured with root privileges to have access to the .google_authenticator token in each home directory,

    Whilst not ideal security practice without this configuration FreeRADIUS will not integrate the PAM module. If you have security concerns you could harden the instance and isolate this instance to run FreeRADIUS only.

    Like

  3. FYI

    On CentOS 7 I had to install pam-devel as well in order to solve this output from ./configure:

    checking for security/pam_appl.h… no
    checking for security/pam_modules.h… no
    checking for pam_get_user in -lpam… no
    configure: error: Unable to find the PAM library or the PAM header files

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s