This article is the last part of a 3 part series. Part III will cover the following:
- Configure the Symantec VIP and Centrify PAM modules.
- Configure SSH to leverage the Symantec VIP PAM module and Centrify PAM module for authentication and MFA.
- Testing the Configuration
To view the other parts of this series, go here:
- This posting is provided "AS IS" with no warranties, and confers no rights.
- This is a lab entry. It is only meant to show the reader that this integration is possible and to provide a how to guide on setting it up. Its not meant for production design and does not address things like high availability and separation of duties. Production designs require planning for people, process and technology.
- Symantec VIP and and CentOS are registered trademarks of their respective owners.
- The versions of software used in this guide work together. There is no guarantee that future versions of the software released by the vendors will be compatible for this integration. Its always best practice to test new versions of software.
Lets get started. We are going to pick up right where we left off on part II of this series.
- Steps to Configure the Symantec VIP and Centrify PAM modules.
- I am referencing the “Integration_Unix-Linux_PAM.pdf” document from Symantec. This file is part of the package that you will download when you obtain the Symantec PAM modules. Its also attached for your convenience. On page 8 of the pdf it starts describing this integration and the steps required.
- The first thing you want to do is download a couple of files from VIP Manager. These files will get you the utilities and PAM modules you need to load onto your target Linux system (CENTOS in my environment). Screenshots and steps to locate and download the PAM bits are shown below.
- Go to VIP Manager and under “Account” go to the Download Files link.
- Next Select the “Third Party Integrations” folder.
- Next, select the Enterprise Gateway 9.8 folder.
- Next download the “Pluggable Authentication Modules.zip” file as well as the “Tools.zip” file.
- Next ensure that you can get these files on to the Linux system that you are securing with Centrify and Symantec VIP. You can use the file transfer program of your choice. We will need to configure these modules once they are on your target system.
- I am only showing the “ssh” integration, but as the document shows, you can use this for many different configurations depending on your needs.
- The first step is to configure the RADIUS configuration. To do this, find the “camouflage” utility you downloaded (part of the Tools.zip downloaded from VIP Manager). We will use this to obfuscate the RADIUS shared secret (Note this is the same shared secret that you used when you setup the RADIUS Validation server in the Enterprise Gateway). Make this utility available on the CENTOS server with the appropriate permissions and run it with the shared secret as an input. Copy the obfuscated shared secret that it will output.
- Next we need to either create or modify the radius configuration files on the target system to use the shared secret we copied in the last step.
- Go to /etc/raddb/ and create or modify the file named “vrsn_otp”
- Create one entry in the file that uses the syntax specified on page 9 of Integration_Unix-Linux_PAM.pdf. It will look something like the below:
: 5 3
- Save the file. NOTE: If you are using more than one RADIUS server for failover, then you would add multiple lines to the “vrsn_otp” file that we just created.
- On page 10 of Integration_Unix-Linux_PAM.pdf, it tells you how to disable MFA for specific groups on the OS. You may want to configure this in your environment depending on how critical the system is. You do not want to make the mistake of accidentally locking everyone out if there are other people relying on this system.
- Next, we are going to copy the Symantec VIP PAM modules over to the Linux system.
- Log in as root to the server on the PAM client host machine.
- Copy the VIP integration module for PAM to /lib/security (on 64-bit Linux, copy to /lib64/security):
> cp PAM/linux/pam_vrsn_otp.so /lib64/security/
- You must ensure that the module has executable permission.
- Screenshot of copied file on my CENTOS system:
- Next, copy the files libvsradiusclientimpl.so and libvsauthotpclient.so (which are included in the PAM package) to a directory in the system path, such as /lib or /usr/lib. On 64-bit Linux, copy to a directory in the system path such as /lib64 or /usr/lib64).
> cp PAM/linux/libvsradiusclientimpl.so /usr/lib/
> cp PAM/linux/libvsauthotpclient.so /usr/lib/
- Verify that the files you copied in the previous step have the same file permissions. You must ensure that the module has executable permission.
- Screenshot of the PAM files on my CENTOS system:
- Now we will configure SSH to leverage the Symantec VIP PAM module and Centrify PAM module for authentication and MFA.
We now have Symantec VIP PAM modules downloaded onto our target system as well as the tools required to configure the modules. Next we are going to configure ssh so that it uses the Symantec VIP PAM module and the CentrifyDC (direct control) PAM module to authenticate the user with the VIP Service (for MFA) and Active Directory (for central authentication and authorization).
- Find the section for securing OpenSSH in the Integration_Unix-Linux_PAM.pdf . We are going to be following the instructions in this document with a slight tweak.
- The PAM configurations in CENTOS are located in the /etc/pam.d folder. The SSH daemon’s configuration is called “sshd”. Before we modify this configuration, create a backup of the appropriate configuration file. For OpenSSH, back up the configuration file for the service (/etc/pam.d/sshd) as shown below.
- Here is a screenshot of my /etc/pam.d directory confirming that I have my sshd_backup file in place.
- Now that we have a backup of the working sshd file, edit the configuration file to include the VIP integration module for PAM at the top of the PAM stack. For example, modify the entries as follows to specify split password for OpenSSH (on 64-bit Linux, specify the path as /lib64/security/pam_vrsn_otp.so). There are multiple flags that the Symantec VIP PAM module can take and “split_password” is documented in Integration_Unix-Linux_PAM.pdf.
- Next, open the sshd file in a text editor. In the file, you will notice that the Centrify agent (when it is installed) automatically adds its relevant PAM settings to the beginning of this file. In this case, since we want to have Symantec VIP check the username+Securitycode before letting the Centrify agent do its job, we are going to add the line “auth requisite /lib64/security/pam_vrsn_otp.so split_password” as the first auth module call in the sshd pam configuration.
- You will also notice above that the 2nd PAM module being called is “system-auth”. This is essentially where we are PAM chaining. The pam_vrsn_otp.so PAM module is designed to verify the username and strip the last 6 characters of the user’s entry for password (password+Securitycode) and validate it. It then passes the remaining password (stripped of the securitycode) down the PAM stack for the next module to handle. We can open the system-auth PAM module to see where the Centrify PAM module is being called.
- When we look at the system-auth configuration (above), we see that in the very first line, the pam_centrifydc.so (essentially the Centrify DirectControl PAM module) is being called. However, by default it will not have the additional flag “try_first_pass” added to it. Not having this flag can create an undesirable user experience. If this flag is not set, the user, when logging onto the system via ssh (with both Symantec VIP and Centrify PAM modules working), will be prompted for username and password+SecurityCode. But once Symantec VIP validates the OTP, the user will AGAIN be challenged for his AD password by the Centrify PAM module. So, the user will have to enter his password in 2 times and will have to encounter 3 separate prompts to complete the authentication to ssh (1. username, 2. password+SecurityCode, 3. AD password). With the flag “try_first_pass” added to the first line where the pam_centrifydc.so module is being called, the Centrify PAM module will take the password that is passed down the stack from the Symantec VIP PAM module and use it as the AD authentication password without prompting the user again. This is exactly the behavior that we want to provide a better user experience.
- The Symantec guide (Integration_Unix-Linux_PAM.pdf) also instructs you to modify your sshd_config file to add/modify the following entries. Make sure you make a backup of sshd_config, like how we did for our various pam modules above.
- Create a backup of the OpenSSH configuration file /etc/ssh/sshd_config. Edit the configuration file to make the following changes:
- Restart the SSH daemon after you make the changes. It should look like the below when you restart.
- Testing the Configuration
- Now we are ready to test! Get an AD user that you know will be able to authenticate to AD with her username and password. It is important that this user’s username is also setup in Symantec VIP Manager (using the exact same username). So, in my example, my user (dwirth) is setup in Active Directory with a username “dwirth” and she is setup in Symantec VIP Manager with the exact same username. Remember, this is a test configuration so in production you are going to need to make sure you have a periodic sync of all your AD users or a user mapping of AD usernames to Symantec VIP usernames so that the validation of user credentials happens properly for each user. I made it easier for this test environment by manually ensuring my userid for Active Diretory and Symantec VIP was identical. Now, when I login with dwirth to my CENTOS system, I will find out if my Symantec VIP and Centrify PAM modules are working as expected.
- To test, I used another centos system (named “newcentos) to ssh to the CENTOS target system that I configured for PAM chaining (engcen6). You can see below that when I initiated an ssh connection to engcen6 (with dwirth), I was given the Warning Banner (pushed out via Microsoft Group Policy), which shows the system is Centrify enabled. I am also prompted for a Password+SecurityCode. If dwirth’s password is “twinkletoes” and the security code on her VIP Access token is “386878”, then she would enter “twinkletoes386878” for her Password+SecurityCode.
- If the Symantec VIP PAM module is integrated correctly (and you entered the user’s VIP access token and AD password correctly), you should see the following in your shell, which indicates you were successfully authenticated to Symantec VIP as well as Active Directory (via the Centrify PAM module).
- If you run a “adinfo” you can also verify that the CENTOS system is Centrify enabled and connected.
- As a recap, if you look at the diagram below, you should be able to verify that all the steps are being executed with the exception that step 5 is actually being passed from the “system-auth” PAM module in Unix/Linux to the Centrify PAM module to authenticate the user to Active Directory.
- Now you can test the authentication with different variations of AD password (correct and incorrect) and VIP access token (correct and incorrect) to validate that the user is only authenticated if they enter the right credentials. If you like you can play around with the ordering of PAM modules to generate a different user experience.
Congratulations, this completes the integration steps for this article. At Centrify we recommend that customers leverage our Centrify Identity Service to connect to 3rd party MFA systems via RADIUS, however, when a customer does not own Centrify Identity Service, using PAM chaining provides an alternative approach to ensuring you are securing your server level access with MFA and still leveraging the AD authentication and authorization that is provided by Centrify Server Suite.