Freeradius and OTP

People often wonder how they can harden their OS X environment. There are many methods and tools that can be used to harden a system. Most admins live and die by SSH; however, for those who are not seasoned with SSH it can be a daunting task.

To help protect weak passwords you can set up your OS X infrastructure to use One Time Password (OTP). Here is a the internet standard surrounding OTP. Depending on your environment the prerequisites for setting up OTP on a machine may vary, but you will need these at minimum:

  • OTP Server
  • Auth Module
  • OS X System
  • Static Address
  • Shared Secret

I actually utilize FreeRADIUS pam auth module, version 1.3.17, in this write up. Version 1.3.17 has some bugs, thus the reason I had to write up how I was able to utilize the buggy version. FreeRADIUS has released version 1.4, which is suppose to address the problems in 1.3.17. For those who have not updated or seen 1.4 you can use this write up to get the 1.3.17 module working. 

The first thing to do is download version 1.3.17 from https://github.com/FreeRADIUS/pam_radius. Then, unzip the file and move the folder onto your Desktop. Before you run the Make command, there are some edits that need to be made to Makefile and the pam_radius_auth.c file. If you try to compile without making the edits then this error will occur:

" pam_radius_auth.c:358:23: error: variable has incomplete type 'struct timezone’:

      struct timezone tz;

To counter this error you must change line 358:23 you must add in the follow lines above the struct timeval tv;

struct timeval {
 time_t tv_sec;
 suseconds_t tv_usec;
struct timezone {
 int tz_minuteswest;
 int tz_dsttime;

It should look like the following screenshot:

After this edit your code should be able to compile however what I found if you system is considered newer you will need run a different GCC command in order to compile correctly. The error you receive when running the make command without making a change to the Makefile is:

ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so

In order to combat this you must edit the Makefile. Within the Makefile there is a section called Build Shared Library. Inside of Build Shared Library it states “On systems with a newer GCC, you will need to do:" gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so". You will want to uncomment out the code for gcc.

Next copy gcc line and run it in your terminal but with a -v flag at the end:

gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so

The output of the command should look like the following:

Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld" -demangle -dynamic -dylib -arch x86_64 -macosx_version_min 10.10.0 -syslibroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.10.sdk -o pam_radius_auth.so pam_radius_auth.o md5.o -lpam -lc -lSystem /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib/darwin/libclang_rt.osx.a

ou will need to copy this section of code and enter it into your terminal. Once it completes, run the make command, which should result in a correct compile.

After these steps you will now have a complete and function pam_radius_auth.so. Half of OTP setup is now is complete.

Next, you will need to edit the proper configuration files, move the pam_radius_auth.so into the proper location, and test.

Configuration Files Editing

Navigate to /etc/sshd_config. Only lines that need to be edited inside of the file are the following:

Some lines maybe yes or no, you want to ensure they look like the previous image. 

After that you will need to move pam_radius_auth.so file into its correct place "/usr/lib/pam". Next navigate to “/etc” and create pam_radius.conf file or utilize one with the pam_radius.conf that was located in the zipped pam_radius folder on your desktop. Inside of the .conf file you will be specifiy the information about your OTP server. The information you will need to procure from your identity management or cyber team are:

  • server
  • shared_secret
  • timeout

Here is an example of the file. I would leave your localhost there, as the conf file indicates and add your infrastructure below the localhost.

Next you will need to edit the "/etc/pam.d/sshd". This file will tell your system where to find your pam_radius.conf. It also dictates which .so files to use for pam authorization. A non edited conf file will have nothing commented out. You will need to add in the line 5 into your file.

Using free radius, my file looks like the following:

Once you have all these items in place I would reboot the system and test OTP to ensure authentication is working properly. During testing, remember to have the console open on the device you are setting up OTP on in order to provide possible insight into any errors

If you have any questions please do not hesitate to comment to drop me a line info @ jasonkmiller.com or jason @ jasonkmiller.co