Monday, January 23, 2017

Installing and Using Google Authenticator for Two Factor Auth on a Checkpoint 750



Hi all, in Installing Kali Linux on a Checkpoint 750 SMB Gaia Emebedded Firewall I dropped a hint about a reason to do this. Well here is an interesting use case. We can create a free stand alone 2 factor authentication system for VPN users using Google Authenticator. BTW I updated the Kali install. I forgot about mounting proc and sys. Head over there and check the update if you've not already.

For example say you didn't have a external radius sever and/or user directory (ldap, MS DC etc). Using this method you can have a working two factor authentication system that doesn't require connectivity to an external radius server. Granted you can always just pull the radius config out of this write up as well. By the end of this the goal is to show how to put all this together.

Here is a list of the moving part we'll be using.
The way this will be tied together is the following.

Request comes into the firewall in the following form

username
unix passwd password + OTP


  1. Firewall forwards request to Free Radius (which is installed on the 750 in this case).
  2. Free Radius passes the username and password to via the Radius PAM module.
  3. PAM passes the username and password to the Google LibPAM module. 
  4. Google's libpam module strips the OTP off the password string and verifies the OTP with google. If the authentication is good Google's libpam sends the password (without the OTP) string back to pam.
  5. Pam then checks the password using the normal unix checks.

If everything is good the FreeRadius sends an accept message back to the firewall and then you're golden!

Now before we get too much further into this let me give you a little warning. This will require some hacking. Why is that you ask? Well.. Kali (guessing most if not all Debian based OSes) assumes the Linux kernel has audit support enabled but the kernel on the 750 does not as seen by

[Expert@FW750]# gzip -dc /proc/config.gz | egrep -i audit
# CONFIG_AUDIT is not set
[Expert@FW750]# 

This causes Google's pam module to fail when creating a network connection. Found this with strace. Basically you'll see socket(bla NETLINK_ADUIT) error =PROTOUNSUPPORTED or something like that.

There might be a better way of dealing with this, but the current work around is to recompile the pam package. What is kind of a pain is if there is an update to pam and you update the chroot with say apt-get upgrade or something then you'll need to recompile the package with the new pam module. You can always make more then one chroot also so you could make one just for Free Radius and a different one for all the things Kali can do.

Right so anyway... Let configure some stuff. I'm going to assume you already have the chroot setup so i'll be going right into that, but first add a loop interface. This will be a private interface we'll be telling freeraidus to use. You should also create 2 firewall rules for this under the "Incoming, Internal and VPN traffic" section. One to allow radius from loop00 to loop00 and a second rule to deny all other radius. BTW radius object has a timeout of 3600 seconds (seems high for udp) so if you've already passed traffic the deny rule won't take effect until radius falls out of the connections table. I lowered radius timeout to 30 seconds. ok ok ok.. configure stuff.

From clish run the following to create a loop interface for radius.

FW750> add interface-loopback ipv4-address 172.16.31.1

Next we'll login to the chroot and update the apt-get system then install some packages (FreeRadius, Google libpam). BTW make sure proc and sys are mounted inside the chroot. I updated the kali write up about that.

[Expert@FW750]# chroot /mnt/sd/kali-chroot bash -l
root@FW750:/# apt-get update
!stuff happens
root@FW750:/# apt-get install libpam-google-authenticator freeradius
! lots of output
!don't worry about java errors. freeradius must have javasupport enable by default.
Do you want to continue? [Y/n] y
root@FW750:/#

A lot of things will start download. Lets queue up some Music while we wait.

After a few minutes you'll have almost everything you need. 

############
# Start hacking
############

# This part is only needed for installing on the 750. If you're by chance running through this for an external radius server you can skip this.

So now we have all our apps installed. Lets rebuild pam! 

First you'll need to tell apt you'll be downloading source. If your not sure how to change /etc/apt/source.list basically just copy whats there and change the starting 'deb' to 'deb-src'. This will do that for you if you super lazy. We'll also be installing everything needed to build pam.

root@FW750:/# egrep -q '^deb-src' /etc/apt/sources.list || sed 's/^deb /deb-src /' /etc/apt/sources.list >> /etc/apt/sources.list
root@FW750:/# mkdir pam ; cd pam
root@FW750:/pam# apt-get update    
more stuff
Reading package lists... Done
root@FW750:/pam# apt-get build-dep pam
!more output stuff
root@FW750:/# export CONFIGURE_OPTS="--disable-audit" ; apt-get source --compile pam
root@FW750:/pam# dpkg -i libpam-modules_1.1.8-3.5_armhf.deb libpam-modules-bin_1.1.8-3.5_armhf.deb libpam-runtime_1.1.8-3.5_all.deb libpam0g_1.1.8-3.5_armhf.deb
root@FW750:/pam#

ok all done /pam you can delete this entire dir if you want.

###########
# End hacking
###########

Ok right.. so lets configure everything!

###########
# Start Radius config!
###########

Edit /etc/pam.d/radiusd. This is what we want it to look like. This is so the user FreeRadius runs as can read the users Google authenticator configuration file.

auth       required    pam_google_authenticator.so forward_pass
auth   required pam_unix.so use_first_pass
#@include common-auth
@include common-account
@include common-password
@include common-session

Now edit

/etc/freeradius/3.0/users

Add this to the top of it.This basically says if the unix user is a member of /etc/group "disabled" then reject the radius request. Next part says pass the user login to the pam backend.

DEFAULT Group == "disabled", Auth-Type := Reject
Reply-Message = "Your account has been disabled."
DEFAULT Auth-Type := PAM

run the following to enable the pam module

ln -s /etc/freeradius/3.0/mods-available/pam /etc/freeradius/3.0/mods-available/pam

setup the client IP and Password for radius packets from the firewall.

edit 

/etc/freeradius/3.0/clients

# Add the Use the loop address we created earlier.
client  firewall {
ipaddr = 172.16.31.1
secret = somepw
}


Now lets edit the main site radius server config.

/etc/freeradius/3.0/sites-enabled/default

replace all
ipaddr = *

with
ipaddr = 172.16.31.1


Comment out ALL the IPv6 sections (the entire section)

uncomment the pam section (around line 489)
        #  Pluggable Authentication Modules.
        pam


edit

/etc/freeradius/3.0/proxy.conf

uncomment src_ip and set it to the loop00 interface IP as well.

src_ipaddr = 172.16.31.1


Geez.. are we done yet? As it turns out.. almost! We're now going to make the FreeRadius server run as root. This is needed because the google pam module will switch to the user's uid before reading the config file. I did try the pam option to allow perms 0660 but because of the uid switch I couldn't get it to work.

edit

/etc/freeradius/3.0/radiusd.conf

and change user and group to root.

        user = root
        group = root


###########
# End Radius config!
###########


###########
# Start of google authenticator config.
###########

First add a unix user. This will be the user account you configure for the VPN. I'll make a testuser account. Afterwards log as test user and setup google-authenticator. BTW you might want to full size your ssh session so you can see the full QRcode on the console (yes that work.. amamzing).

root@FW750:/pam# adduser testuser
Adding user `testuser' ...
Adding new group `testuser' (1000) ...
Adding new user `testuser' (1000) with group `testuser' ...
Creating home directory `/home/testuser' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for testuser
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
root@FW750:/pam# su - testuser
testuser@FW750:~$ google-authenticator

Answer yes to all questions, open the app and take a pic of the QRcode with the app (i used iOS version). This will fully configure the OTP app. Side note.. that is so cool..

###########
# End of google config
###########

OK, lets fire it up!

logout of the chroot jail and start the radius server.

root@FW750:/# exit
logout
[Expert@FW750]# chroot /mnt/sd/test/kali-chroot freeradius
[Expert@FW750]# ps axuw | egrep '[U]SER|[f]reeradius'
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root     24025  0.5  0.8  55624  8332 ?        Ssl  06:27   0:00 freeradius
[Expert@FW750]# 

##########
# Firewall config (ok well I created the loop00 interface way above but firewall config!)
##########

Now to wrap everything up, make your firewall rules look like this.



Then go to VPN -> Authinication Servers -> Primary Raidius -> Configure ( here the 172.16.31.1:1812 is. My doesn't say configure because I already configured it). Also make sure you're using the same secret key from the radius config.


Lastly hit the "permissions for RADIUS users" and fill everything out. Make sure the check mark is enabled. Send all users. I'm not sure that the role matters. I think its just adding an extra A/V pair that the radius server is ignoring, but i went with network admin.


And then to wrap up the config. Setup freeradius to start on startup.

Here is my startup script.

[Expert@FW750]# cat /pfrm2.0/etc/userScript
mount /dev/sda1 /mnt/sd
mount -t proc proc /mnt/sd/kali-chroot/proc
mount -t sysfs sysfs /mnt/sd/kali-chroot/sys
ln -s /bin/busybox /bin/crond
mkdir -p /mnt/sd/backups
mkdir -p /var/spool/cron/crontabs/
cp /storage/*.zip /mnt/sd/backups
echo '1 1 * * *  cp /storage/*.zip /mnt/sd/backups' >> /var/spool/cron/crontabs/root
chmod 600 /var/spool/cron/crontabs/root
/bin/crond
chroot /mnt/sd/kali-chroot freeradius
[Expert@FW750]#


########
# If something goes wrong!
########

Most the the problems I were with the radius configs. If you want to debug radius run it with the -XXX arguments and you'll get a decent amount of debug output. It can also be useful to start rsyslog inside the chroot for more log. Also the google pam module has a debug option. Follow the link at the top for more info. In addition you can add the word "debug" to the pam_google_authenticator.so line in /etc/pam.d/radiusd file. This will spit out helpful into on what Google Authenticator is doing. Make sure NTP is enabled and that the clock is synced. If not you'll have to sync the clock and possibly recreate the token.

#########
# I want more users!
#########
So login to the chroot and add them! Just run through the google authenticator config section for every user.

That's all for now!

No comments:

Post a Comment

Danger Will Robinson!