This article is the first of a 3 part series. Part I will cover the following:
- Explain background for the problem we are solving.
- Describe what the working integration will look like.
- Review the MFA options that are available for integration with Centrify Server Suite.
- Provide a configuration overview for the integration approach we will use.
- Provide an overview of the pre-requisites required to set this integration up.
- Configure Centrify Server Suite for CentOS system
- Configure Symantec VIP Service
To view the other parts of this series, go here:
- This posting is provided "AS IS" with no warranties, and confers no rights.
- This is a lab entry. It is only meant to show the reader that this integration is possible and to provide a how to guide on setting it up. Its not meant for production design and does not address things like high availability and separation of duties. Production designs require planning for people, process and technology.
- Symantec VIP and and CentOS are registered trademarks of their respective owners.
- The versions of software used in this guide work together. There is no guarantee that future versions of the software released by the vendors will be compatible for this integration. Its always best practice to test new versions of software.
This is Part I of an article that aims to provide a guideline for leveraging multifactor authentication provided by Symantec VIP to secure Centrify Server Suite enabled Unix systems. Multifactor authentication (MFA) is an important step to securing systems to enable stronger authentication to servers and applications in your environment. Benefits and goals of using MFA are outlined in various places, but an introductory article can be found here.
Many organizations understand the importance of MFA, and are already using an MFA solution today. In our example, we will be focusing on Symantec VIP, which is a widely used multifactor authentication platform. The concepts here can be applied to other MFA providers as well, specifically for the purposes of layering MFA onto Centrify enabled Unix/Linux systems. Centrify also provides seamless MFA Everywhere through the Centrify Identity Service, if your organization is exploring MFA options today.
- Working Integration
Let me first show you what the finished result of this integration will look like so you can see the benefit of the integration. In the shell screenshot below, you will see a user (dwirth) logging onto a CENTOS system (engcen6) via SSH from another CENTOS system (newcentos). When dwirth logs on to engcen6 with her Active Directory username using SSH, she is prompted for a Password+SecurityCode. The password she enters is her AD password and the SecurityCode is the code provided by her Symantec VIP Access soft token. The SecurityCode is validated by the Symantec VIP Service in the cloud and her AD password is validated by the Centrify agent. This allows a customer to leverage the benefits of Centrify enabling a non-windows system (AD consolidation, centralizing Privilege elevation, enabling Group Policies, etc.) and leverage an existing deployment of Symantec VIP to layer on Multi Factor Authentication. As you can see, dwirth successfully authenticates with MFA and is logged into the engcen6 system.
The goal of this series is to take you through the setup of this integration.
3. MFA integration options available for Centrify Server Suite
Centrify Server Suite provides Active Directory based identity consolidation, role based access control, and authorization for your Unix/Linux/Windows systems. When you want to layer on MFA from a 3rd party, there are 3 main options that are available to you.
- The first option is to leverage the Centrify Identity Service. Using Centrify Identity Service for MFA allows you to seamlessly add MFA at server login as well as MFA when privilege elevation is invoked by a user (i.e. elevating privileges to root to run a privileged command). This works across SaaS applications, on premise web applications, at Windows Login, and for non-Windows systems. We refer to this as MFA Everywhere. If you are using the built-in MFA capability in Centrify Identity Service, you simply need to setup an MFA authentication profile in Centrify Identity Service and associate the groups of users you want to MFA to that authentication profile. When you want to leverage a 3rd party MFA service, Centrify Identity Service gives you the capability to use RADIUS to leverage MFA from a 3rd party provider. The advantage of this approach is that you can enable MFA integration using a single integration point (Centrify Identity Service) versus setting up an integration point for each of your servers individually. An example of how you can set this up is provided in this blog.
- The second option for integrating 3rd party MFA onto Centrify Server Suite is to use the concept of PAM chaining to group multiple Pluggable Authentication Modules (PAM) together to accomplish your authentication needs. A PAM module is a self-contained piece of program code that implements the authentication facility. For example, include the UNIX® password database, NIS, LDAP, and RADIUS for authentication. In this article, we will configure several PAM modules to work together (PAM Chaining) to allow our users to authenticate to Active Directory while also using their Symantec VIP Access token for MFA. The benefit to this approach is you can leverage a common authentication process using the Operating System’s PAM structure to layer MFA without going through the Centrify Identity Service. The downside to this approach is that PAM chaining needs to be configured for each server, which can be additional work for administrators. Changes in software versions may cause instability and should be tested thoroughly to ensure they work during upgrade cycles.
- The 3rd option for integrating MFA is to use symbolic links between PAM modules. A symbolic link, also termed a soft link, is a special kind of file that points to another file, much like a shortcut in Windows or a Macintosh alias. Unlike a hard link, a symbolic linkdoes not contain the data in the target file. It simply points to another entry somewhere in the file system. To use this option, the general approach is to configure Centrify Server Suite to link the Centrify Identity Service PAM module (pam_centrifydc_cloud.so) to the Symantec VIP PAM module (pam_vrsn_otp.so). Once this is done, when a user’s role (as defined by Centrify role based access control policy) requires MFA, the Centrify PAM module that gets called will link to the Symantec VIP PAM module, and MFA will be handed off to that PAM module. The benefit to using symlinks are that you can enable MFA at a granular level per the Centrify role based access control policy. The downside to this approach is that every vendor’s PAM module works differently and has varying levels of support on various operating systems. While symlinks between vendor PAM modules may work well on one OS (Red Hat Enterprise Linux 6), it may not work as well on another OS. This can be risky for most enterprises. Therefore, I have chosen to use PAM chaining to complete the integration in this guide.
4. Configuration Overview for PAM chaining with Symantec VIP.
The overview of the integration is described in the following diagram from the document “Integration Guide for Pluggable Authentication Modules (PAM)”, which can be downloaded from the Symantec VIP documents center. The version of the file at the time of this writing is an attachment to this blog. It should be noted that the authentication method being used in the example we will show is the “User ID-Security Code” based authentication.
In the diagram above, the user (when logging on via ssh) is prompted for his username and password+Securitycode. The security code comes from the Verisign OTP soft token on the user’s mobile phone. The user id and last 6 characters of the password+Securitycode are validated by the Symantec VIP PAM module by proxying the authentication through the Symantec VIP Enterprise Gateway to the Symantec VIP service. Once the authentication succeeds, the user id and password (stripped of the one time passcode) is passed to the next PAM module in the authentication stack (Unix/Linux PAM in the diagram). Once the user id and password is validated by the next PAM module in the stack, a successful authentication response is sent back to the SSH client and access is granted to the user. In our integration, the Centrify PAM module will be the second module called in the authentication stack (instead of the Unix/Linux PAM module) in order to authenticate the user against Active Directory, rather than the local password store on the system.
5. Pre-requisites to Symantec VIP Integration
There are several pre-requisites required to set this up in your environment. It will help to refer to the diagram above as you configure the pre-requisites and troubleshoot the solution. I will list the high level pre-requisites here and then go through the steps to set them up.
- You need to have a target Unix/Linux system that is Centrify Server Suite enabled. You should have a working environment where a user can login to a server using his Active Directory username/password by leveraging the Centrify Agent (version CentrifyDC 5.3.1-398)). In our example, we will be using a Centrify enabled CentOS (centos-release-6-7 x86_64) system as our target.
- You need to have access to a working instance of the Symantec VIP service (VIP Authentication Services 2016-2).
- You need to have a Symantec VIP Enterprise Gateway setup to communicate from your network to the Symantec VIP service. In this guide, I set this up on a Windows 2012 server using Symantec VIP Enterprise Gateway 9.8.
- Next, you need to obtain the PAM modules and RADIUS client from the Symantec VIP service manager. These will be executed on the target system that you are securing.
- You will need to ensure you have the appropriate ports/firewalls configured for network communication to occur between the different components of this integration.
6. Configure Centrify Server Suite for a CentOS system.
The intent of this guide is not to walk through the installation and configuration of Centrify Server Suite. More information on this setup can be found in the Centrify Server Suite documentation and various other blogs in the Centrify Community. The first step is to install the Centrify agent on your CentOS system, join it to an Active Directory Domain, and ensure that Centrify Server Suite is configured so that the users that are given access to that system are authenticating with their AD username/password.
7. Configure Symantec VIP service.
You may already have access to a working instance of the Symantec VIP service. If that is the case, you may want to review the steps here to ensure you have a test user to work with. If you do not have access to a working instance of Symantec VIP, you can register for a trial license of the service online at Symantec’s website.
Once you register for the trial you will get an email with the steps below. Follow the instructions below.
- Access VIP Manager (https://manager.vip.symantec.com/vipmgr)
- On the Sign in page, enter the email address and temporary password you were provided in your email.
- Change your password upon initial logon.
- Register your credential. In order to do this step, you need to download the “VIP Access” mobile application to your smartphone and register it with the user that you use to initially access the service.
- Once you have your username/password and VIP access credential, you will access the VIP Manager by logging in:
- Then you will be prompted for your security code. The security code will be displayed on the VIP Access mobile application (depicted on the right part of the screenshot below). Enter your security code and press the continue button.
You will then be logged in to the VIP Manager as shown below.
- Go to the Users Section and Add New User. Note, you may not have any existing users if this is the first time you are setting this up.
- In the “Add New User” screen, enter the user id for the test user that you want to configure for MFA. Ensure that you are using the AD user id for the user you want to test with. For the credential, select VIP credential and enter the credential id and name (optional) from your VIP Access soft token. Note that I am using the same VIP Access credential for my test user “dwirth” that I am using to access the VIP Manager as “firstname.lastname@example.org”. When you are setting this up in production, you will likely be using a different VIP Access token for the users that you are setting up. I have used the same VIP Access token to reduce the complexity of this sample illustration.
- When your user is setup properly, you should see the user details like the screenshot below.
At this point, you have a sample user setup to test the VIP Service integration with. Now you are ready to download the Symantec VIP Enterprise Gateway to a system that is on your premise that can communicate with the target system that you want to secure (a CentOS system in my example).
This concludes Part I of this series and you are now ready to focus on the on premise components that you will need to configure. In Part II of this series, we will cover the on premise pre-requisites for this integration, specifically for the Symantec VIP Enterprise Gateway.
Part II will cover the following:
- Continue setting up the pre-requisites required to set this integration up.
- Configure the Symantec VIP Enterprise Gateway
- Configure the RADIUS validation service on the Symantec VIP Enterprise Gateway.
To continue to part II of this post click here.