BaroPAM solution installation guide for 3-step authentication to strengthen the security of information assets(FreeBSD)
1. Preparation before installing BaroPAM
In order to use the PAM module, the PAM package must be installed by default. To verify installation, execute the following command.
| [root] /root > ls /usr/lib/pam* /usr/lib/pam_chroot.so /usr/lib/pam_ksu.so /usr/lib/pam_radius.so /usr/lib/pam_chroot.so.6 /usr/lib/pam_ksu.so.6 /usr/lib/pam_radius.so.6 /usr/lib/pam_deny.so /usr/lib/pam_lastlog.so /usr/lib/pam_rhosts.so /usr/lib/pam_deny.so.6 /usr/lib/pam_lastlog.so.6 /usr/lib/pam_rhosts.so.6 /usr/lib/pam_echo.so /usr/lib/pam_login_access.so /usr/lib/pam_rootok.so /usr/lib/pam_echo.so.6 /usr/lib/pam_login_access.so.6 /usr/lib/pam_rootok.so.6 /usr/lib/pam_exec.so /usr/lib/pam_nologin.so /usr/lib/pam_securetty.so /usr/lib/pam_exec.so.6 /usr/lib/pam_nologin.so.6 /usr/lib/pam_securetty.so.6 /usr/lib/pam_ftpusers.so /usr/lib/pam_opie.so /usr/lib/pam_self.so /usr/lib/pam_ftpusers.so.6 /usr/lib/pam_opie.so.6 /usr/lib/pam_self.so.6 /usr/lib/pam_group.so /usr/lib/pam_opieaccess.so /usr/lib/pam_ssh.so /usr/lib/pam_group.so.6 /usr/lib/pam_opieaccess.so.6 /usr/lib/pam_ssh.so.6 /usr/lib/pam_guest.so /usr/lib/pam_passwdqc.so /usr/lib/pam_tacplus.so /usr/lib/pam_guest.so.6 /usr/lib/pam_passwdqc.so.6 /usr/lib/pam_tacplus.so.6 /usr/lib/pam_krb5.so /usr/lib/pam_permit.so /usr/lib/pam_unix.so /usr/lib/pam_krb5.so.6 /usr/lib/pam_permit.so.6 /usr/lib/pam_unix.so.6 |
In order to access information assets and use the PAM module, the OpenSSH (Open Secure Shell) package must be installed to provide reliable and safe ssh and sftp services. To verify installation, execute the following command. If it is not installed, you can install it with the "pkg install ssh" command.
| [root] /root > ssh -V OpenSSH_7.2p2, OpenSSL 1.0.2k-freebsd 26 Jan 2017 |
To download and install the BaroPAM authentication module, connect to the root account and create a directory (/usr/baropam) to download and install the module as follows.
| [root]# mkdir /usr/baropam |
Grant the permissions (read, write, execute) of the directory to download and install BaroPAM module as follows.
| [root]# chmod -R 777 /usr/baropam |
2. BaroPAM installation module download
The BaroPAM authentication module connects with the root account, then moves to the directory for downloading and installing the module (/usr/baropam) and downloading the module as follows.
| [root] /usr/baropam > wget http://nuriapp.com/download/libpam_baro_auth-x.x.tar |
When the download of the BaroPAM authentication module is completed, the method to decompress the tar file is as follows.
| [root] /usr/baropam > tar -xvf libpam_baro_auth-x.x.tar |
When the BaroPAM authentication module is uncompressed, the following BaroPAM related modules are created in the baropam directory.
| [root] /usr/baropam > ls -al 합계 180 drwxrwxrwx 7 root root 4096 8월 23 09:59 . drwxr-xr-x 17 root root 4096 2월 10 2017 .. -r--r--r-- 1 root root 8 6월 22 14:51 .baro_acl -r--r--r-- 1 root root 279 8월 23 09:59 .baro_auth -rwxr-xr-x 1 root root 43996 8월 21 07:06 baro_auth -rwxr-xr-x 1 root root 115780 8월 21 10:02 pam_baro_auth.so -rw-r--r-- 1 root root 192 8월 21 07:08 setenv.sh |
3. BaroPAM configuration file creation
The BaroPAM configuration file must be created by executing the baro_auth program. It should be located under /usr/baropam, the directory of the BaroPAM authentication module.
Format)
| baro_auth -r rate_limit -R rate_time -t cycle_time –c corr_time –k key_method –e encrypt_flag -H hostname -A acl_type -a acl_filename -S secure_key -s filename |
The contents of the setting options of the BaroPAM configuration file are as follows.
| Option | Description | Setting value | Etc |
| -r | Limit number of one-time authentication keys (1~10) | 3 | |
| -R | Time limit for one-time authentication key (sec, 15~600 sec) | 30 | |
| -t | Authentication cycle of disposable authentication key (seconds, 3~60 seconds) | 30 | |
| -c | Set when using a card with the guarantee error time (seconds) of the one-time authentication key | 0 | |
| -k | Authentication method of one-time authentication key (app1, app256, app384, app512: app). | app512 | |
| -e | Whether the configuration file is encrypted (yes or no) | no | |
| -H | Server's host name (uname -n) | nurit.co.kr | |
| -A | Select whether to allow or exclude from 2nd authentication | deny | |
| -a | ACL file name for accounts to be allowed or denied in 2nd authentication (File access rights are 444) | /usr/baropam/.baro_acl | |
| -S | Secure key (license key) provided by the vendor | Ri5+xgVdtEBJGlrSD2hvituZxAq0vttx | |
| -s | File name including directory to create BaroPAM configuration file | /usr/baropam/.baro_auth |
Note) The filename of the -s option is the file name including the directory where the BaroPAM configuration file is created (the file access authority is 444), and if the hostname of the set server is not correct, BaroPAM may not operate normally. If the hostname is changed, it must be reflected in the relevant item of environment setting.
Example of use)
| [root] /usr/baropam > ./baro_auth -r 3 -R 30 -t 30 –c 0 –k app512 –e no -H nurit.co.kr -A deny -a /usr/baropam/.baro_acl -S Ri5+xgVdtEBJGlrSD2hvituZxAq0vttx -s /usr/baropam/.baro_auth |
If you set up each BaroPAM configuration file for each account, connect to the account and proceed with the work. (Not root)
| [root] /usr/baropam > ./baro_auth -r 3 -R 30 -t 30 –c 0 –k app512 –e no -H nurit.co.kr -A deny -a ~/.baro_acl -S Ri5+xgVdtEBJGlrSD2hvituZxAq0vttx -s ~/.baro_auth |
1) Your emergency scratch codes are :
Emergency scratch code is a super authentication key that can be used to access the SSH server again in case it is lost when the BaroPAM app, a one-time authentication key generator, cannot be used, so it is better to write it down somewhere.
2) Enter "y" for all of the following questions.
even prevent man-in-the-middle attacks (y/n) y
Do you want to disallow multiple uses of the same authentication key? y
Will the one-time authentication key timeout be set to 30 seconds? y
The contents set in .baro_auth, the BaroPAM configuration file, are as follows.
| [root] /usr/baropam > cat .baro_auth " AUTH_KEY " RATE_LIMIT 3 30 " KEY_METHOD app512 " CORR_TIME 0 " CYCLE_TIME 30 " SECURE_KEY Ri5+xgVdtEBJGlrSD2hvituZxAq0vttx " ACL_NAME /usr/baropam/.baro_acl " ACL_TYPE deny " HOSTNAME nurit.co.kr " WINDOW_SIZE 17 " DISALLOW_REUSE 33458936 19035576 15364353 54649370 84342192 |
The contents of the setting items of .baro_auth, the BaroPAM configuration file, are as follows.
| Item | Description | Setting value | Etc |
| AUTH_KEY | Authentication separator (fixed) | ||
| RATE_LIMIT | Limit number of one-time authentication keys (1~10), time limit (seconds, 15~600 seconds) | 3 30 | |
| KEY_METHOD | Authentication method of one-time authentication key (app1, app256, app384, app512: app) | app512 | |
| CORR_TIME | Guarantee error time for one-time authentication key (seconds) | 0 | |
| CYCLE_TIME | Authentication cycle of disposable authentication key (seconds, 3~60 seconds) | 30 | |
| SECURE_KEY | Secure key (license key) provided by the vendor | WSa1MUyG+aaiJ1JS/uqtXuBSoRBIIZOL | |
| HOSTNAME | Server's host name (uname -n) | nurit.co.kr | |
| ACL_TYPE | Distinguish allow or denial in 2nd authentication | deny | |
| ACL_NAME | ACL Filename for accounts to be allowed or excluded from 2nd authentication (File access rights are 444) | /usr/baropam/.baro_acl | |
| WINDOW_SIZE | Calibration time of one-time authentication key based on the current time (-7~7 seconds) | 17 | |
| DISALLOW_REUSE or ALLOW_REUSE |
To prevent man-in-the-middle attacks, if "DISALLOW_REUSE" is set, other users cannot log in during the authentication cycle of the one-time authentication key. If allowed, set "ALLOW_REUSE". | DISALLOW_REUSE |
4. BaroPAM configuration
To set the BaroPAM module, input the setting method in the sshd file at the top as follows.
| [root] /usr/baropam > vi /etc/pam.d/sshd #%PAM-1.0 auth required /usr/baropam/pam_baro_auth.so nullok secret=/usr/baropam/.baro_auth encrypt=no |
For reference, the secret parameter is the name of the BaroPAM configuration file, and encrypt is the encryption/decryption flag (yes or no) for the BaroPAM configuration file.
If each BaroPAM configuration file is set for each account, input the setting method in the sshd file to set the BaroPAM module at the top as follows.
| [root] /usr/baropam > vi /etc/pam.d/sshd #%PAM-1.0 auth required /usr/baropam/pam_baro_auth.so nullok secret=${HOME}/.baro_auth encrypt=no |
* "nullok" means that 2nd authentication (one-time authentication) is omitted for accounts where BaroPAM is not set.
For programs that cannot be "interactive process" like filezilla, you have to use the forward_pass option in PAM to enter the password and one-time authentication key together when entering the password. In this case, the openssh client, Windows Remote Desktop Protocol (RDP), VMWare Horizon, and filezilla all have to enter this input.
| [root] /usr/baropam > vi /etc/pam.d/sshd #%PAM-1.0 auth required /usr/baropam/pam_baro_auth.so forward_pass secret=/usr/baropam/.baro_auth encrypt=no |
When entering a one-time authentication key such as a password in the password input window (Password & verification code:) using forward_pass, enter the password first and then enter the one-time authentication key without spaces. For example, if the password is "baropam" and the one-time authentication key is "123456", you can enter "baropam123456".
If you use forward_pass, you can enable 2-factor authentication for most services that require authentication.
| [root] /usr/baropam > vi /etc/pam.d/su #%PAM-1.0 auth required /usr/baropam/pam_baro_auth.so nullok secret=/usr/baropam/.baro_auth encrypt=no |
If you add the BaroPAM module to the top of the /etc/pam.d/su file, the 2nd authentication key (one-time authentication key) input can be applied even when the general account attempts to elevate privileges to "root" with the "su" command. So the security is further improved.
| $ su - root Verification code: |
In the case of Desktop Linux, if you want to use BaroPAM on the GUI login screen, enter the setting method in the maximum amount as follows.
| Factor | Before | After | Etc |
| PasswordAuthentication | yes | no | |
| ChallengeResponseAuthentication | no | yes | |
| UsePAM | no | yes |
After sshd configuration is finished, it is necessary to restart SSH Server after checking whether the PAM module is properly added.
| [root] /usr/baropam > /etc/rc.d/sshd restart erforming sanity check on sshd configuration. Stopping sshd. Performing sanity check on sshd configuration. Starting sshd. |
After sshd configuration is complete, make sure that the PAM module is properly removed and then reboot the ssh daemon.
When using the BaroPAM module, if you need to exclude from the ACL for accounts to be excluded from 2nd authentication, create an ACL file in the directory set when setting up the BaroPAM environment, and then enter the account to be excluded as follows. (The file access permission for .baro_acl must be set to 444.)
| [root] /usr/baropam > vi .baro_acl barokey baropam |
If the time of the information asset is different from the current time, the one-time authentication key does not match and the one-time authentication key does not match. Therefore, to initialize the time to the same time, set the time in crontab as follows and restart crontab.
| #Time setting 11 4 * * * /usr/bin/rdate -s time.simplexi.com; /sbin/hwclock --systohc or 11 4 * * * /usr/bin/rdate -s time.bora.net; |
If the time of the information asset is different from the current time, the one-time authentication key does not match and the one-time authentication key does not match. Therefore, if the time zone (Timezone) is not set when the server is installed, the computer clock is displayed in PST, US Pacific time. (During summer time, PDT.) In other words, it appears in California time. This should be changed to KST, the Korean standard time, as follows.
| > ln -sf /usr/share/zoneinfo/Asia/Seoul /etc/localtime > date 1804191024.00 |
Recently, it is possible to set the system time as the current time in the root account using NTP (Network Time Protocol) as a method of time synchronization (time server time synchronization) for information assets.
In order to use NTP, the NTP package must be installed by default. To verify installation, execute the following command. If it is not installed, you can install it with the "pkg install ntp" command.
| [root]# pkg install ntp |
To activate the ntpd service, you need to register it in "/etc/rc.conf" by using the following command.
| [root]# /etc/rc.d/ntpd enabled |
NTP servers operating in Korea are as follows.
| server kr.pool.ntp.org server time.bora.net server time.kornet.net |
Configure the NTP server operating in Korea in "/etc/ntp.conf", a configuration file for configuring the ntpd daemon, as follows.
| [root]# vi /etc/ntp.conf # # NTP # server kr.pool.ntp.org iburst server time.bora.net iburst server time.kornet.net iburst |
The iburst option is a type of option setting that shortens the time it takes to synchronize.
After the configuration for the ntpd daemon configuration is completed, it is necessary to restart the NTP daemon after checking whether the NTP configuration is properly added.
| [root]# /etc/rc.d/ntpd restart ntpd not running? (check /var/run/ntpd.pid). Starting ntpd. |
You can check the ntpd time with the following command.
| [root]# ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== 0.freebsd.pool. .POOL. 16 p - 64 0 0.000 0.000 0.000 106.247.248.106 141.223.182.106 2 u 7 64 1 4.412 0.544 0.000 time.bora.net 204.123.2.5 2 u 7 64 1 5.206 7.741 0.000 *send.mx.cdnetwo 204.123.2.5 2 u 1 64 1 3.968 3.807 0.446 211.52.209.148 216.239.35.12 2 u 1 64 1 11.862 2.838 0.259 dadns.cdnetwork 204.123.2.5 2 u 2 64 1 4.833 0.005 0.408 92.223.73.5 (st 106.247.248.106 3 u - 64 1 5.015 1.397 0.482 |
* The indicated ip is the ntp server fetching the current time.
If the PAM configuration file is incorrectly configured or the file is damaged, users may not be able to log in. The sulogin command does not use PAM, so you may need the root password to boot the system in single-user mode and fix problems.
There are several reasons for booting in single-user mode:
1) When fsck checks or cleans filesystems other than / and /usr
2) When you forget the administrator (root) password
3) When the /etc/fstab file is incorrectly modified and the booting fails
4) When other critical files are incorrectly set and returned.
5. How to connect to FreeBSD
When connecting with Putty, you just need to do the same as the normal connection process, but there is one thing to set. In the environment setting, select attempt "Keyboard-Interactive" auth(SSH-2) in "connection -> SSH -> auth" and connect to SSH.
Putty Download and Documentation related materials can be found at the following URL.
| https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html |
For putty)
When prompted to enter the "Verification code", enter the one-time authentication key generated by the BaroPAM app.
If authentication is successful, you can enter the SSH login password as follows.
For Mobile SSH)
When prompted to enter the "Verification code", enter the one-time authentication key generated by the BaroPAM app.
If authentication is successful, you can enter the Mobile SSH login password as follows.
For FileZilla)
When connecting to FileZilla, it is different from the normal connection process. Select "File(F) -> Site Manager(S)" from the top left menu and select "SFTP-SSH File Transfer Protocol" in the "Protocol(t):" item on the General tab screen. Select "Interactive" in the "and "Logon type (L):" items, and click the "Connect (C)" button as follows.
Then, the password input screen appears as follows. On the password input screen, check the content of "Try:", enter the one-time authentication key generated by the smartphone into the "Password (P):" input field, and click the "OK (O)" button.
Then, the password input screen appears as follows. In the password input screen, check the contents of "Try:", enter the password for the login account in the "Password (P):" input field, and click the "OK (O)" button to access the server.
For SFTP)
When prompted to enter the "Verification code", enter the one-time authentication key generated by the BaroPAM app.
If authentication is successful, you can enter the SFTP login password as follows.
SecureFX Download and Documentation related materials can be found at the following URL.
| https://www.vandyke.com/ |
In conclusion, 2nd authentication can be an effective means of protecting password authentication by adding an additional layer of protection, and regardless of whether it is used or not, it is up to the user's choice, but the adoption of 2nd authentication is an industry trend.
If an error such as Apr 18 12:01:10 localhost sshd[2280]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" occurs, go to "/etc/pam.d/system-auth". If the configured uid is greater than or equal to 1000, authentication is to be performed. If the uid is greater than or equal to 500, you can change the value to perform authentication and restart sshd.
| [root] /root > vi /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so |
6. BaroPAM environment removal
When BaroPAM is installed and the BaroPAM module is not used, the method to remove the contents set in the sshd file can be commented out or deleted as follows.
| [root] /usr/baropam > vi /etc/pam.d/sshd #%PAM-1.0 #auth required /usr/baropam/pam_baro_auth.so nullok secret=/usr/baropam/.baro_auth |
Among the contents of the "/etc/ssh/sshd_config" file configured in the sshd daemon, the following parameters must be changed.
| Factor | Before | After | Etc |
| PasswordAuthentication | no | yes | |
| ChallengeResponseAuthentication | yes | no | |
| UsePAM | yes | no |
After sshd configuration is finished, it is necessary to restart SSH Server after confirming that the PAM module has been properly removed.
| [root] /usr/baropam > /etc/rc.d/sshd restart |
After sshd configuration is complete, make sure that the PAM module is properly removed and then reboot the ssh daemon.
'▶ BaroSolution > 가이드' 카테고리의 다른 글
| BaroPAM의 화면 보호기 잠금 방지 및 해제기능 가이드(BLE Manager-Windows) (0) | 2021.09.24 |
|---|---|
| RADIUS 환경에서 사용자 식별 및 인증을 위한 3단계 인증 솔루션인 BaroPAM 솔루션의 적용 가이드 (0) | 2021.03.15 |
| BaroPAM solution's API guide for no-remember passwords(C) (0) | 2021.02.23 |
| BaroPAM solution's API guide for no-remember passwords(dll) (0) | 2021.02.13 |
| BaroPAM solution's API guide for no-remember passwords(C#) (0) | 2021.02.05 |