Two factor authentication for Unix SSH

Introduction

LoginTC Web makes it easy for Unix administrators to add multi-factor to SSH into their Unix systems. If you would like to leverage our LoginTC RADIUS Connector to protect SSH then you may be interested in the: Two factor authentication for SSH using PAM RADIUS module.

Prerequisites

Before proceeding, please ensure you have the following:

API Domain Creation

If you have already created a LoginTC domain for your LoginTC API Connector, then you may skip this section and proceed to Installation.

  1. Log in to LoginTC Admin
  2. Click Domains:
  3. Click Add Domain: Create Domain
  4. Enter a name and optionally pick an icon Create Domain Form
  5. Scroll down and click Create

Use Default Domain Settings

Domain settings can be modified at any time by navigating to Domains > Your Domain > Settings.

Installation

(Tested on CentOS 6.4)

C client dependencies:

sudo yum install git gcc gcc-c++ make curl-devel cmake

Get and install the client:

$ git clone https://github.com/logintc/logintc-c.git
  $ pushd logintc-c
  $ CFLAGS=-O3 cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr .
  $ make
  $ sudo make install
  $ popd

PAM dependencies:

sudo yum install pam-devel

Get and build LoginTC PAM:

$ git clone https://github.com/logintc/logintc-pam.git
  $ pushd logintc-pam
  $ CFLAGS=-O3 cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr .
  $ make
  $ sudo make install
  $ popd

Now both the LoginTC C and PAM libraries are installed and ready to configure.

Configuration

Edit /etc/pam.d/sshd and add the following line:

auth required pam_logintc.so api_key=YOUR_API_KEY domain_id=YOUR_DOMAIN_ID
Property Explanation
YOUR_API_KEY The 64-character organization API key
YOUR_DOMAIN_ID The 40-character domain ID

The API key is found on the LoginTC Admin Settings page. The Domain ID is found on your domain settings page.

Here is a sample /etc/pam.d/sshd PAM auth configuration:

auth required pam_logintc.so api_key=vZkDw7l6Z3tApwZJXERseKdR0s5RNNqjMxXIwvxpWwJOa9oJXi9b5tdvPyFsqzwJ domain_id=9120580e94f134cb7c9f27cd1e43dbc82980e152 timeout=300
  auth required pam_sepermit.so
  auth include  password-auth

Restart sshd:

$ sudo service sshd restart

Now SSH access into the Unix system will require username / password, as well as LoginTC two-factor authentication.

Testing

Test by SSHing directly into the Unix system. The username of Unix user must match the username of the user created in your organization and added to the domain you have configured to authenticate against. You can also test the PAM library installed with your own custom program. For more information please see LoginTC PAM.

User Management

There are several options for managing your users within LoginTC: