Two factor authentication for Unix SSH

Introduction

LoginTC Web makes it easy for Unix administrators to add multi-factor to SSH into their Unix systems. If you would like to leverage our LoginTC RADIUS Connector to protect SSH then you may be interested in the: Two factor authentication for SSH using PAM RADIUS module.

Prerequisites

Before proceeding, please ensure you have the following:

LoginTC Admin Panel account
Computer virtualization software such as VMware ESXi, VirtualBox, or Hyper-V
Virtual Machine requirements:
- 1024 MB RAM
- 8 GB disk size

API Domain Creation

If you have already created a LoginTC domain for your LoginTC API Connector, then you may skip this section and proceed to Installation.

Log in to LoginTC Admin
Click Domains:
Click Add Domain:
Enter a name and optionally pick an icon
Scroll down and click Create

Use Default Domain Settings

Domain settings can be modified at any time by navigating to Domains > Your Domain > Settings.

Installation

(Tested on CentOS 6.4)

C client dependencies:

sudo yum install git gcc gcc-c++ make curl-devel cmake

Get and install the client:

$ git clone https://github.com/logintc/logintc-c.git
  $ pushd logintc-c
  $ CFLAGS=-O3 cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr .
  $ make
  $ sudo make install
  $ popd

PAM dependencies:

sudo yum install pam-devel

Get and build LoginTC PAM:

$ git clone https://github.com/logintc/logintc-pam.git
  $ pushd logintc-pam
  $ CFLAGS=-O3 cmake -DCMAKE_INSTALL_PREFIX:PATH=/usr .
  $ make
  $ sudo make install
  $ popd

Now both the LoginTC C and PAM libraries are installed and ready to configure.

Configuration

Edit /etc/pam.d/sshd and add the following line:

auth required pam_logintc.so api_key=YOUR_API_KEY domain_id=YOUR_DOMAIN_ID

Property	Explanation
`YOUR_API_KEY`	The 64-character organization API key
`YOUR_DOMAIN_ID`	The 40-character domain ID

The API key is found on the LoginTC Admin Settings page. The Domain ID is found on your domain settings page.

Here is a sample /etc/pam.d/sshd PAM auth configuration:

auth required pam_logintc.so api_key=vZkDw7l6Z3tApwZJXERseKdR0s5RNNqjMxXIwvxpWwJOa9oJXi9b5tdvPyFsqzwJ domain_id=9120580e94f134cb7c9f27cd1e43dbc82980e152 timeout=300
  auth required pam_sepermit.so
  auth include  password-auth

Restart sshd:

$ sudo service sshd restart

Now SSH access into the Unix system will require username / password, as well as LoginTC two-factor authentication.

Testing

Test by SSHing directly into the Unix system. The username of Unix user must match the username of the user created in your organization and added to the domain you have configured to authenticate against. You can also test the PAM library installed with your own custom program. For more information please see LoginTC PAM.

User Management

There are several options for managing your users within LoginTC:

Individual users can be added manually in LoginTC Admin Panel
Bulk operations using CSV Import
Programmatically manage user lifecycle with the REST API
One-way user synchronization of users to LoginTC Admin is performed using User Sync Tool.