This technique is being used by a lot of large corporations including banks. This tutorial shows you how to configure OpenVPN to add additional security.
This assumes you already have OpenVPN configured and working properly.
Getting the Google Authenticator
First we need to download the Google Authenticator code. This can be done using "hg". You might need to install mercurial, if so its just as easy as doing:apt-get install mercurial
We also need some compile tools, so let's install a package of compilers (you can remove this when we're done):apt-get install build-essential
Let's check out the sourcecode for the Google Authenticator system:cd /tmp && hg clone https://google-authenticator.googlecode.com/hg/ google-authenticator && cd libpam
Ok, nice, so we now got it checked out. In order to make it work properly with OpenVPN we need to change the Makefile.vim Makefile
Add the following line after the license part and before the .SUFFIXES:LDFLAGS="-lpam"Save the file and lets proceed, shall we? We need to compile this, so thats easy:
make
No errors? Good. It might be that you get an error about "displayQRCode". If so, you will need to make some changes to the makefile. If everything went as it should, you can just proceed.find /usr/lib -name libdl.so
In the makefile, replace all 3 references to "/usr/lib/libdl.so" with the path you got (e.g. "/usr/lib/i386-linux-gnu/libdl.so"). Save it up, and re-run make. You should now be able to proceed just fine.If it was compiled succesfully, proceed with installing it:
make install
We're done, let's proceed shall we?Configuring OpenVPN to use PAM
Open up /etc/openvpn/server.conf and add the following line:plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpnThis will use PAM to provide additional means of authentication. The last part (openvpn) is the file in /etc/pam.d we'd like to use. Since we do not want it to interfere with other services (e.g. SSH or sudo) we just use a new file.
Restart OpenVPN to have it re-read the config file.
Configure PAM to authenticate using Google Authenticator
Create the file /etc/pam.d/openvpn:cp /etc/pam.d/common-account /etc/pam.d/openvpn
vim /etc/pam.d/openvpn
Add the following line:vim /etc/pam.d/openvpn
auth required pam_google_authenticator.soIf you are using encrypted homedirectories, you will need to change that to:
auth required pam_google_authenticator.so secret=/var/unencrypted-home/${USER}/.google_authenticatorWe're finished with the PAM config. Obviously you can make it a lot more complex, for example by adding IP restrictions (no OTP on trusted IPS) or adding more security.
Configure Google Authenticator
Ok, so we have almost everything in place but the proper config. This should be done per-user. Either login as user (su - username or directly) and issue the command:google-authenticator
This will present you with a few questions:https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/me@myserver%3Fsecret%XXXXXXXXXXXXXSave the URL & info as we will need that later. Answer "y" and you will get the next question:
Your new secret key is: XXXXXXXXXXXXXXXXX
Your verification code is 1234567
Your emergency scratch codes are:
11111111
22222222
33333333
44444444
55555555
Do you want me to update your "~/.google_authenticator" file (y/n)
Do you want to disallow multiple uses of the same authenticationYou should also answer Y(es) here, as its far more secure to disallow reusable keys. Answer accordingly and the next question pops up:
token? This restricts you to one login about every 30s, but it increases
your chances to notice or even prevent man-in-the-middle attacks (y/n)
By default, tokens are good for 30 seconds and in order to compensate for30 seconds might not be too long, so we could increase the time limit. For me, 30 seconds is enough so i just answer N(o) here.
possible time-skew between the client and the server, we allow an extra
token before and after the current time. If you experience problems with poor
time synchronization, you can increase the window from its default
size of 1:30min to about 4min. Do you want to do so (y/n)
The final question:
If the computer that you are logging into isn't hardened against brute-forceFor additional security you should answer (Y)es here.
login attempts, you can enable rate-limiting for the authentication module.
By default, this limits attackers to no more than 3 login attempts every 30s.
Do you want to enable rate-limiting (y/n)
Ok done! In case you do have encrypted homedirs you will need to do one additional step. Until they've implemented support for encrypted homedirs, you will have to put it outside of the encrypted homefolders.
Execute:
mkdir -p /var/unencrypted-home/${USER}/
cp .google_authenticator /var/unencrypted-home/${USER}/
chmod og-rwx /var/unencrypted-home/${USER}/ -R
cp .google_authenticator /var/unencrypted-home/${USER}/
chmod og-rwx /var/unencrypted-home/${USER}/ -R
Configuring the client
The client should have password logins as additional means of security. If you are using the NetworkManager addin for OpenVPN you can just switch it to certificate + password, else you will have to enable "auth-user-pass" in your VPN client config.Wrapping up
Ok, so now we have:- Installed Google Authenticator PAM module
- Enabled PAM support for OpenVPN
Once you have installed the app, have it scan the barcode. The URL we received earlier (the google.com/chart... one) provides a QR code we can scan. Once we scan it, it will automatically configure the client.
So, the next time you login to your OpenVPN server you will be promped for an additional password. Provide the 6 digit passcode and you will gain access.
No comments:
Post a Comment