주식회사 누리아이티

지문인식카드 및 정보자산 2차 인증 보안SW 전문기업

BaroPAM solution installation guide for secondary authentication of access control to enhance security of information assets(Linux)

댓글 0

▶ BaroSolution/BaroPAM

2021. 2. 2.

1. Preparation before installing BaroPAM

 

In order to use the PAM module, the PAM package must be installed by default. To verify installation, execute the following command. If it is not installed, you can install Redhat and CentOS with "yum install *pam*" and other commands "sudo apt-get install pam".

 

[root]# rpm -qa | grep pam

pam_smb-1.1.7-7.2.1

pam_passwdqc-1.0.2-1.2.2

pam-0.99.6.2-14.el5_11

pam_krb5-2.2.14-22.el5

pam-devel-0.99.6.2-14.el5_11

pam_ccreds-3-5

pam_smb-1.1.7-7.2.1

pam_pkcs11-0.5.3-26.el5

pam-devel-0.99.6.2-14.el5_11

pam_passwdqc-1.0.2-1.2.2

pam-0.99.6.2-14.el5_11

pam_ccreds-3-5

pam_krb5-2.2.14-22.el5

pam_pkcs11-0.5.3-26.el5

 

In order to access information assets and use the PAM module, the OpenSSH (Open Secure Shell) package must be installed to provide reliable and safe ssh and sftp services. To verify installation, execute the following command. If it is not installed, you can install Redhat and CentOS with "yum install *openssh*" and "yum install *openssl*" and "sudo apt-get install openssl" commands.

 

[root]# rpm -qa | grep openssh

openssh-clients-4.3p2-82.el5

openssh-server-4.3p2-82.el5

openssh-4.3p2-82.el5

 

[root]# rpm -qa | grep openssl

openssl-0.9.8e-40.el5_11

openssl101e-1.0.1e-11.el5

openssl097a-0.9.7a-12.el5_10.1

openssl-devel-0.9.8e-40.el5_11

openssl-perl-0.9.8e-40.el5_11

openssl-devel-0.9.8e-40.el5_11

openssl101e-devel-1.0.1e-11.el5

openssl101e-static-1.0.1e-11.el5

openssl-0.9.8e-40.el5_11

openssl101e-devel-1.0.1e-11.el5

openssl101e-static-1.0.1e-11.el5

openssl101e-perl-1.0.1e-11.el5

openssl097a-0.9.7a-12.el5_10.1

openssl101e-1.0.1e-11.el5

 

[root]# ssh -V

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

 

In the case of Redhat and CentOS, "Selinux" stands for "Security Enhanced Linux" and provides a better security policy than basic Linux. If it is activated because it is too good, it is blocked by a security problem and BaroPAM does not work (Failed to open tmp secret file "/usr/baropam/.baro_auth~" [Permission denied]). So, most of them are disabled (SELINUX=enforcing disabled).

 

[root] /etc > vi /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

#       enforcing - SELinux security policy is enforced.

#       permissive - SELinux prints warnings instead of enforcing.

#       disabled - SELinux is fully disabled.

SELINUX=disabled

# SELINUXTYPE= type of policy in use. Possible values are:

#       targeted - Only targeted network daemons are protected.

#       strict - Full SELinux protection.

SELINUXTYPE=targeted

 

# SETLOCALDEFS= Check local definition changes

SETLOCALDEFS=0

 

It is not applied immediately and is applied only after rebooting.

 

If you want to apply the changed contents to the currently connected terminal without rebooting, run the following command.

 

[root] /etc > /usr/sbin/setenforce 0

 

To download and install the BaroPAM authentication module, connect to the root account and create a directory (/usr/baropam) to download and install the module as follows.

 

[root]# mkdir /usr/baropam

 

Grant the directory permissions (read, write, execute) for downloading and installing BaroPAM modules as follows.

 

[root]# chmod -R 777 /usr/baropam

 

 

2. BaroPAM installation module download

 

The BaroPAM authentication module connects with the root account, then moves to the directory for downloading and installing the module (/usr/baropam) and downloading the module as follows.

 

[root] /usr/baropam > wget http://nuriapp.com/download/libpam_baro_auth-x.x.tar

 

When the download of the BaroPAM authentication module is completed, the method to decompress the tar file is as follows.

 

[root] /usr/baropam > tar -xvf libpam_baro_auth-x.x.tar

 

When the BaroPAM authentication module is uncompressed, the following BaroPAM related modules are created in the baropam directory.

 

[root] /usr/baropam > ls -al

합계 180

drwxrwxrwx  7 root root   4096  8 23 09:59 .

drwxr-xr-x 17 root root   4096  2 10  2017 ..

-rw-r--r--  1 root root      8  6 22 14:51 .baro_acl

-r--r--r--  1 root root    279  8 23 09:59 .baro_auth

-rwxr-xr-x  1 root root  43996  8 21 07:06 baro_auth

drwxr-xr-x  2 root root   4096 12  1 07:44 jilee

-rwxr-xr-x  1 root root 115780  8 21 10:02 pam_baro_auth.so

-rw-r--r--  1 root root    192  8 21 07:08 setenv.sh

 

 

3. BaroPAM configuration file creation

 

The BaroPAM configuration file must be created by executing the baro_auth program. It should be located under /usr/baropam, the directory of the BaroPAM authentication module.

 

형식)

baro_auth -r rate_limit -R rate_time -t cycle_time –c corr_time –k key_method –e encrypt_flag -H hostname -A acl_type -a acl_filename -S secure_key -s filename

 

The contents of the setting options of the BaroPAM configuration file are as follows.

 

Option

Description

Setting value

Etc

-r

Limit number of one-time authentication keys (1~10)

3

 

-R

Time limit for one-time authentication key (sec, 15~600 sec)

30

 

-t

Authentication cycle of disposable authentication key (seconds, 3~60 seconds)

30

 

-c

Set when using a card with the guarantee error time (seconds) of the one-time authentication key

0

 

-k

Authentication method of one-time authentication key (app1, app256, app384, app512: app, card1, card256, card384, card512: authentication card).

app512

 

-e

Whether the configuration file is encrypted (yes or no)

no

 

-H

Server's host name (uname -n)

nurit.co.kr

 

-A

Select whether to allow or exclude from 2nd authentication

deny

 

-a

ACL file name for accounts to be allowed or denied in 2nd authentication (File access rights are 444)

/usr/baropam/.baro_acl

 

-S

Secure key (license key) provided by the vendor

Ri5+xgVdtEBJGlrSD2hvituZxAq0vttx

 

-s

File name including directory to create BaroPAM configuration file

/usr/baropam/.baro_auth

 

 

Note) The filename of the -s option is the file name including the directory where the BaroPAM configuration file is created (the file access authority is 444), and if the hostname of the set server is not correct, BaroPAM may not operate normally. If the hostname is changed, it must be reflected in the relevant item of environment setting.

 

Example of use)

[root] /usr/baropam > ./baro_auth -r 3 -R 30 -t 30 –c 0 –k app512 –e no -H nurit.co.kr -A deny -a /usr/baropam/.baro_acl -S Ri5+xgVdtEBJGlrSD2hvituZxAq0vttx -s /usr/baropam/.baro_auth

 

If you set up each BaroPAM configuration file for each account, connect to the account and proceed with the work. (Not root)

 

[root] /usr/baropam > ./baro_auth -r 3 -R 30 -t 30 –c 0 –k app512 –e no -H nurit.co.kr -A deny -a ~/.baro_acl -S Ri5+xgVdtEBJGlrSD2hvituZxAq0vttx -s ~/.baro_auth

 

1) Your emergency scratch codes are :

Emergency scratch code is a super authentication key that can be used to access the SSH server again in case it is lost when the BaroPAM app, a one-time authentication key generator, cannot be used, so it is better to write it down somewhere.

 

2) Enter "y" for all of the following questions.

 even prevent man-in-the-middle attacks (y/n) y

   Do you want to disallow multiple uses of the same authentication key? y

 Will the one-time authentication key timeout be set to 30 seconds? y

 

The contents set in .baro_auth, the BaroPAM configuration file, are as follows.

 

[root] /usr/baropam > cat .baro_auth

“ AUTH_KEY

“ RATE_LIMIT 3 30

“ KEY_METHOD app512

“ CORR_TIME 0

“ CYCLE_TIME 30

“ SECURE_KEY Ri5+xgVdtEBJGlrSD2hvituZxAq0vttx

“ ACL_NAME /usr/baropam/.baro_acl

“ ACL_TYPE deny

“ HOSTNAME nurit.co.kr

“ WINDOW_SIZE 17

“ DISALLOW_REUSE

33458936

19035576

15364353

54649370

84342192

 

The contents of the setting items of .baro_auth, the BaroPAM configuration file, are as follows.

 

Item

Description

Setting value

Etc

AUTH_KEY

Authentication separator (fixed)

 

 

RATE_LIMIT

Limit number of one-time authentication keys (1~10), time limit (seconds, 15~600 seconds)

3 30

 

KEY_METHOD

Authentication method of one-time authentication key (app1, app256, app384, app512: app, card1, card256, card384, card512: authentication card)

app512

 

CORR_TIME

Guarantee error time for one-time authentication key (seconds)

0

 

CYCLE_TIME

Authentication cycle of disposable authentication key (seconds, 3~60 seconds)

30

 

SECURE_KEY

Secure key (license key) provided by the vendor

WSa1MUyG+aaiJ1JS/uqtXuBSoRBIIZOL

 

HOSTNAME

Server's host name (uname -n)

nurit.co.kr

 

ACL_TYPE

Distinguish allow or denial in 2nd authentication

deny

 

ACL_NAME

ACL Filename for accounts to be allowed or excluded from 2nd authentication (File access rights are 444)

/usr/baropam/.baro_acl

 

WINDOW_SIZE

Calibration time of one-time authentication key based on the current time (-7~7 seconds)

17

 

DISALLOW_REUSE

or

ALLOW_REUSE

To prevent man-in-the-middle attacks, if "DISALLOW_REUSE" is set, other users cannot log in during the authentication cycle of the one-time authentication key. If allowed, set "ALLOW_REUSE".

DISALLOW_REUSE

 

 

 

4. BaroPAM configuration

 

To set the BaroPAM module, input the setting method in the sshd file at the top as follows.

 

[root] /usr/baropam > vi /etc/pam.d/sshd

#%PAM-1.0

auth       required     /usr/baropam/pam_baro_auth.so nullok secret=/usr/baropam/.baro_auth encrypt=no

 

For reference, the secret parameter is the name of the BaroPAM configuration file, and encrypt is the encryption/decryption flag (yes or no) for the BaroPAM configuration file.

 

If each BaroPAM configuration file is set for each account, input the setting method in the sshd file to set the BaroPAM module at the top as follows.

 

[root] /usr/baropam > vi /etc/pam.d/sshd

#%PAM-1.0

auth       required     /usr/baropam/pam_baro_auth.so nullok secret=${HOME}/.baro_auth encrypt=no

 

* "nullok" means that 2nd authentication (one-time authentication) is omitted for accounts where BaroPAM is not set.

 

For programs that cannot be "interactive process" like filezilla, you have to use the forward_pass option in PAM to enter the password and one-time authentication key together when entering the password. In this case, the openssh client, Windows Remote Desktop Protocol (RDP), VMWare Horizon, and filezilla all have to enter this input.

 

[root] /usr/baropam > vi /etc/pam.d/sshd

#%PAM-1.0

auth       required     /usr/baropam/pam_baro_auth.so forward_pass secret=/usr/baropam/.baro_auth encrypt=no

 

When entering a one-time authentication key such as a password in the password input window (Password & verification code:) using forward_pass, enter the password first and then enter the one-time authentication key without spaces. For example, if the password is "baropam" and the one-time authentication key is "123456", you can enter "baropam123456".

 

 

If you use forward_pass, you can enable 2-factor authentication for most services that require authentication.

 

[root] /usr/baropam > vi /etc/pam.d/su

#%PAM-1.0

auth       required     /usr/baropam/pam_baro_auth.so nullok secret=/usr/baropam/.baro_auth encrypt=no

 

If you add the BaroPAM module to the top of the /etc/pam.d/su file, the 2nd authentication key (one-time authentication key) input can be applied even when the general account attempts to elevate privileges to "root" with the "su" command. So the security is further improved.

 

$ su - root

Verification code:

 

In the case of Desktop Linux, if you want to use BaroPAM on the GUI login screen, enter the setting method in the maximum amount as follows.

 

Example) For Debian, Ubuntu, SUSE, and fedora Linux

 

[root] /usr/baropam > vi /etc/pam.d/gdm-password or gdm-autologin

#%PAM-1.0

auth       required     /usr/baropam/pam_baro_auth.so nullok secret=/usr/baropam/.baro_auth encrypt=no

 

After gdm-password and gdm-autologin are configured, it is necessary to restart gdm-password or gdm-autologin after checking whether the PAM module is properly added.

 

[root] /usr/baropam > systemctl restart gdm-password or gdm-autologin

 

 

Then, a screen for entering "Verification code", a one-time authentication key of BaroPAM, appears on the login screen as follows.

 

 

Example) HamoniKR OS, Cloud OS, Mint Linux

 

[root] /usr/baropam > vi /etc/pam.d/lightdm or loghtdm-autologin

#%PAM-1.0

auth       required     /usr/baropam/pam_baro_auth.so nullok secret=/usr/baropam/.baro_auth encrypt=no

 

After configuring lightdm and lightdm-autologin, it is necessary to restart lightdm or loghtdm-autologin after checking whether the PAM module is properly added.

 

[root] /usr/baropam > systemctl restart lightdm or loghtdm-autologin

 

 

Then, a screen for entering "Verification code", the one-time authentication key of BaroPAM, appears on the login screen as follows.

 

 

Example) In case of TmaxOS

 

[root] /usr/baropam > vi /etc/pam.d/glogin

#

# $FreeBSD: releng/10.1/etc/pam.d/login 170510 2007-06-10 18:57:20Z yar $

#

# PAM configuration for the "login" service

#

auth       required     /usr/baropam/pam_baro_auth.so nullok secret=/usr/baropam/.baro_auth encrypt=no

 

After glogin configuration is finished, it is necessary to restart glogin after checking whether the PAM module is properly added.

 

[root] /usr/baropam > systemctl restart glogin

 

 

Then, a screen for entering "Verification code", the one-time authentication key of BaroPAM, appears on the login screen as follows.

 

Among the contents of the "/etc/ssh/sshd_config" file, which is a configuration file for configuring the sshd daemon, the following parameters need to be changed.

 

Factor

Before

After

Etc

PasswordAuthentication

yes

no

 

ChallengeResponseAuthentication

no

yes

 

UsePAM

no

yes

 

 

After sshd configuration is finished, it is necessary to restart SSH Server after checking whether the PAM module is properly added.

 

[root] /usr/baropam > service sshd restart or systemctl restart sshd

Stopping sshd: [  OK  ]

Starting sshd: [  OK  ]

 

Ubuntu, Debian or Linux Mint, Fedora:

$ systemctl restart ssh

 

In the case of Ubuntu and Mint, if the connection is not possible after restarting ssh, it is a problem of firewall configuration. Therefore, you must disable the firewall configuration and restart it using the following command.

 

$ sudo ufw disable

$ sudo service ufw restart

 

CentOS or RHEL:

$ service sshd restart or systemctl restart sshd

 

When using the BaroPAM module, if you need to exclude from the ACL for accounts to be excluded from 2nd authentication, create an ACL file in the directory set when setting up the BaroPAM environment, and then enter the account to be excluded as follows. (The file access permission for .baro_acl must be set to 444.)

 

[root] /usr/baropam > vi .baro_acl

barokey

baropam

 

If the time of the information asset is different from the current time, the one-time authentication key does not match and the one-time authentication key does not match. Therefore, to initialize the time to the same time, set the time in crontab as follows and restart crontab.

 

#Time setting

11 4 * * * /usr/bin/rdate -s time.simplexi.com; /sbin/hwclock --systohc

or

11 4 * * * /usr/bin/rdate -s time.bora.net;

 

If the time of the information asset is different from the current time, the one-time authentication key does not match and the one-time authentication key does not match. Therefore, if the time zone (Timezone) is not set when the server is installed, the computer clock is displayed in PST, US Pacific time. (During summer time, PDT.) In other words, it appears in California time. This should be changed to KST, the Korean standard time, as follows.

 

> ln -sf /usr/share/zoneinfo/Asia/Seoul /etc/localtime

> date 112212292017.00

 

Recently, it is possible to set the system time as the current time in the root account using NTP (Network Time Protocol) as a method of time synchronization (time server time synchronization) for information assets.

 

In order to use NTP, the NTP package must be installed by default. To verify installation, execute the following command. If it is not installed, you can install Redhat, CentOS 8 or lower version with "yum install ntp" and other "sudo apt-get install ntp" commands.

 

[root]# rpm -qa | grep ntp

ntp-4.2.2p1-18.el5.centos

chkfontpath-1.10.1-1.1

 

Registering the ntpd service in the startup program when booting the server and checking whether ntp is activated can be checked with the following command.

 

[root]# chkconfig ntpd on

[root]# chkconfig --list | grep ntp

ntpd            0:off  1:off  2:on  3:on  4:on  5:on  6:off

 

Checking whether the ntpd daemon is activated when booting the server using chkconfig If level 3 or 5 is off (off), it is not automatically activated. In order to activate automatically, you must change 3 and 5 to on (active) with the following command.

 

[root]# chkconfig --level 3 ntpd on

[root]# chkconfig --level 5 ntpd on

 

NTP servers operating in Korea are as follows.

 

server kr.pool.ntp.org

server time.bora.net

server time.kornet.net

 

Configure the NTP server operating in Korea in "/etc/ntp.conf", a configuration file for configuring the ntpd daemon, as follows.

 

[root]# vi /etc/ntp.conf

# Use public servers from the pool.ntp.org project.

# Please consider joining the pool (http://www.pool.ntp.org/join.html).

#server 0.centos.pool.ntp.org

#server 1.centos.pool.ntp.org

#server 2.centos.pool.ntp.org

#server 3.centos.pool.ntp.org

server kr.pool.ntp.org iburst

server time.bora.net   iburst

server time.kornet.net iburst

 

The iburst option is a type of option setting that shortens the time it takes to synchronize.

 

After the configuration for the ntpd daemon configuration is completed, it is necessary to restart the NTP daemon after checking whether the NTP configuration is properly added.

 

[root]# /etc/init.d/ntpd restart

Stopping ntpd: [  OK  ]

Starting ntpd: [  OK  ]

 

You can check the ntpd time with the following command.

 

[root]# ntpq -p

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 static.betaidc. 106.247.248.106  3 u    7   64    1    2.884  287.718   0.001

 time.bora.net   .INIT.          16 u    -   64    0    0.000    0.000   0.000

 183.110.225.61  .INIT.          16 u    -   64    0    0.000    0.000   0.000

 LOCAL(0)        .LOCL.          10 l    4   64    1    0.000    0.000   0.001

* The indicated ip is the ntp server fetching the current time.

 

In order to use NTP, the NTP package must be installed by default. To verify installation, execute the following command. If it is not installed, you can install Redhat, CentOS 8 or later version with "yum install chrony" command.

 

[root@baropam ~]# rpm -qa | grep chrony

chrony-3.5-1.el8.x86_64

 

NTP servers operating in Korea are as follows.

 

server kr.pool.ntp.org

server time.bora.net

server time.kornet.net

 

Configure the NTP server running in Korea in "/etc/chrony.conf", a configuration file for configuring the ntpd daemon, as follows.

 

[root@baropam ~]# vi /etc/chrony.conf

 

# Use public servers from the pool.ntp.org project.

# Please consider joining the pool (http://www.pool.ntp.org/join.html).

#pool 2.centos.pool.ntp.org iburst

server kr.pool.ntp.org iburst

server time.bora.net   iburst

server time.kornet.net iburst

 

# Record the rate at which the system clock gains/losses time.

driftfile /var/lib/chrony/drift

 

# Allow the system clock to be stepped in the first three updates

# if its offset is larger than 1 second.

makestep 1.0 3

 

# Enable kernel synchronization of the real-time clock (RTC).

rtcsync

 

# Enable hardware timestamping on all interfaces that support it.

#hwtimestamp *

 

# Increase the minimum number of selectable sources required to adjust

# the system clock.

#minsources 2

 

# Allow NTP client access from local network.

allow 192.168.0.0/16

 

# Serve time even if not synchronized to a time source.

#local stratum 10

 

# Specify file containing keys for NTP authentication.

keyfile /etc/chrony.keys

 

# Get TAI-UTC offset and leap seconds from the system tz database.

leapsectz right/UTC

 

# Specify directory for log files.

logdir /var/log/chrony

 

# Select which information is logged.

#log measurements statistics tracking

 

After the configuration for the ntpd daemon configuration is completed, it is necessary to restart the NTP daemon after checking whether the NTP configuration is properly added. (Register to start the chrony service and start it at boot time)

 

[root@baropam ~]# sudo systemctl enable chronyd

[root@baropam ~]# sudo systemctl restart chronyd

 

You can check the ntpd time with the following command.

 

Server list to receive time / Server list registered in chrony.conf file)

 

[root@baropam ~]# chronyc sources

210 Number of sources = 2

MS Name/IP address         Stratum Poll Reach LastRx Last sample              

===============================================================================

^* ec2-54-180-134-81.ap-nor>     2   6   377    43   -349us[-1059us] +/-   24ms

^- time.bora.net                 2   6   377    42  +1398us[+1398us] +/-   90ms

 

Server information to get time)

 

[root@baropam ~]# chronyc tracking

Reference ID    : 36B48651 (ec2-54-180-134-81.ap-northeast-2.compute.amazonaw)

Stratum         : 3

Ref time (UTC)  : Sun Mar 22 07:07:43 2020

System time     : 0.000130027 seconds slow of NTP time

Last offset     : -0.000710122 seconds

RMS offset      : 0.000583203 seconds

Frequency       : 19.980 ppm fast

Residual freq   : +0.142 ppm

Skew            : 3.235 ppm

Root delay      : 0.013462566 seconds

Root dispersion : 0.017946836 seconds

Update interval : 65.0 seconds

Leap status     : Normal

 

Check information such as time status and synchronization)

 

[root@baropam ~]# timedatectl status

               Local time: Sun 2020-03-22 16:08:45 KST

           Universal time: Sun 2020-03-22 07:08:45 UTC

                 RTC time: Sun 2020-03-22 07:08:44

                Time zone: Asia/Seoul (KST, +0900)

System clock synchronized: yes

              NTP service: active

          RTC in local TZ: no

 

If the PAM configuration file is incorrectly configured or the file is damaged, users may not be able to log in. The sulogin command does not use PAM, so you may need the root password to boot the system in single-user mode and fix problems.

 

There are several reasons for booting in single-user mode:

 

1) When fsck checks or cleans filesystems other than / and /usr

2) When you forget the administrator (root) password

3) When the /etc/fstab file is incorrectly modified and the booting fails

4) When other critical files are incorrectly set and returned.

 

To boot in single user mode (administrator), at the boot prompt, follow the steps below.

 

boot: linux single

 

If the system is in operation, it is as follows.

 

 # telinit 1

 

After recovery, you need to switch to multi-user mode.

 

# telinit 3 or

# telinit 5 or

# shutdown -r now

 

 

5. How to connect to Linux

 

When connecting with Putty, you just need to do the same as the normal connection process, but there is one thing to set. In the environment setting, select attempt "Keyboard-Interactive" auth(SSH-2) in "connection -> SSH -> auth" and connect to SSH.

 

 

Putty Download and Documentation related materials can be found at the following URL.

 

https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

 

 

 

For putty)

 

When prompted to enter the "Verification code", enter the one-time authentication key generated by the BaroPAM app.

 

If authentication is successful, you can enter the SSH login password as follows.

 

 

For Mobile SSH)

 

When prompted to enter the "Verification code", enter the one-time authentication key generated by the BaroPAM app.

 

If authentication is successful, you can enter the Mobile SSH login password as follows.

 

 

For FileZilla)

 

When connecting to FileZilla, it is different from the normal connection process. Select "File(F) -> Site Manager(S)" from the top left menu and select "SFTP-SSH File Transfer Protocol" in the "Protocol(t):" item on the General tab screen. Select "Interactive" in the "and "Logon type (L):" items, and click the "Connect (C)" button as follows.

 

 

Then, the password input screen appears as follows. On the password input screen, check the content of "Try:", enter the one-time authentication key generated by the smartphone into the "Password (P):" input field, and click the "OK (O)" button.

 

 

Then, the password input screen appears as follows. In the password input screen, check the contents of "Try:", enter the password for the login account in the "Password (P):" input field, and click the "OK (O)" button to access the server.

 

 

For SFTP)

 

When prompted to enter the "Verification code", enter the one-time authentication key generated by the BaroPAM app.

 

If authentication is successful, you can enter the SFTP login password as follows.

 

 

SecureFX Download and Documentation related materials can be found at the following URL.

 

https://www.vandyke.com/

 

In conclusion, 2nd authentication can be an effective means of protecting password authentication by adding an additional layer of protection, and regardless of whether it is used or not, it is up to the user's choice, but the adoption of 2nd authentication is an industry trend.

 

If an error such as Apr 18 12:01:10 localhost sshd[2280]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root" occurs, go to "/etc/pamd/system-auth". If the configured uid is greater than or equal to 1000, authentication is to be performed. If the uid is greater than or equal to 500, you can change the value to perform authentication and restart sshd.

 

[root] /root > vi /etc/pam.d/system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        required      pam_deny.so

 

account     required      pam_unix.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     required      pam_permit.so

 

password    requisite     pam_cracklib.so try_first_pass retry=3

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

password    required      pam_deny.so

 

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

 

 

6. BaroPAM environment removal

 

When BaroPAM is installed and the BaroPAM module is not used, the method to remove the contents set in the sshd file can be commented out or deleted as follows.

 

[root] /usr/baropam > vi /etc/pam.d/sshd

#%PAM-1.0

#auth       required     /usr/baropam/pam_baro_auth.so nullok secret=/usr/baropam/.baro_auth encrypt=no

 

Among the contents of the "/etc/ssh/sshd_config" file configured in the sshd daemon, the following parameters must be changed.

 

Factor

Before

After

Etc

PasswordAuthentication

no

yes

 

ChallengeResponseAuthentication

yes

no

 

UsePAM

yes

no

 

 

After sshd configuration is finished, it is necessary to restart SSH Server after confirming that the PAM module has been properly removed.

 

[root] /usr/baropam > service sshd restart

Stopping sshd: [  OK  ]

Starting sshd: [  OK  ]

 

Ubuntu, Debian or Linux Mint:

$ service ssh restart

 

Fedora:

$ systemctl restart sshd

 

CentOS or RHEL:

$ service sshd restart

 

사업자 정보 표시
주식회사 누리아이티 | 이종일 | 서울시 강서구 공항대로 186 로뎀타워 617호 | 사업자 등록번호 : 258-87-00901 | TEL : 010-2771-4076 | Mail : mc529@nurit.co.kr | 사이버몰의 이용약관 바로가기