Not all technical blog posts are created equal.

The internet is the second source of opinions (first being Politicians).

But what does that have to do with Technical Blogs?

Recently I embarked on a security focused project of adding 2 Factor authentication to the some network authentication systems at work.  A few google searches later and you’ll find a bunch of results for ‘How to configure Radius with Google Authenticator.’ That sounds great! However, almost every implementation of this SECURITY focused solution involves breaking all of the security systems in place on the linux server that is doing the authentication.

googleradiusauth

Now I appreciate the efforts made and the post was very helpful for a POC… however there are a few issues with this guide.

  1. Changing the program to run as ROOT
  2. Disabling selinux (disabled by default on ubuntu, the os of choice)
  3. Does not scale (each user is instructed to log in and generate a qr code)

A few things can be done to fix this.

  1. Give radiusd access to google authenticator tokens
  2. Use selinux tools to create a selinux policy
  3. Check documentation for better security options (have pam access files as radiusd)

So for the first fix: Put all keys in a single directory, say /var/lib/google-auth/ and then update the pam config with secret=/var/lib/google-auth/${USER}

For the next fix: Use audit2allow to create a policy file; I keep them in this format and then compile them with an ansible role.

 module googleauth_radius 1.0;
 require {
 type var_auth_t;
 type radiusd_t;
 class dir search;
 class file { read open getattr write };
 }
 allow radiusd_t var_auth_t:dir search;
 allow radiusd_t var_auth_t:file { read open getattr write };

The above assumes you already installed google-authenticator either with the RPM for COPR or built from source as var_auth_t is created by google auth.

Lastly: Tell pam to access files as user=radiusd and chmod all files with 0400, as only radiusd needs to access the file (ensure the selinux context is assigned as var_auth_t for the folder and files under it as well).

Recap:

This is just one example of the difference between someone that can search/copy/paste and someone that has true google-fu.  Finding something close but always making it a bit more secure than what’s already out there.

Comment below if you have questions or would like some more information on a topic!  Happy Googling!

Say Something Nice