Configuring Duo Authentication - BeyondTrust€¦ · Configuring Duo Authentication for PowerBroker...
Transcript of Configuring Duo Authentication - BeyondTrust€¦ · Configuring Duo Authentication for PowerBroker...
WHITE PAPER
Configuring Duo Authentication Quick Guide for PBPS, PBW and PBUL
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
1
Contents Configuring Duo Authentication for PowerBroker Password Safe Using RADIUS.......................... 2
Configuring Duo Authentication for PowerBroker for Windows Using RADIUS ............................ 9
Configuring Duo Authentication for PowerBroker for Unix and Linux Using RADIUS.................. 12
Configuring PBUL .................................................................................................................. 12
Testing the Configuration ..................................................................................................... 14
Configuring Duo Authentication for PowerBroker Password Safe and Direct Connect Using
RADIUS .......................................................................................................................................... 17
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
2
Configuring Duo Authentication for PowerBroker Password Safe Using
RADIUS
1. Select Start trial from duo.com web site.
2. Install mobile app.
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
3
3. Create a few users in Duo as Admin.
4. When you create the user, select an email address that will allow you to enroll the user
after you click Send Enrollment Email. You can set all users with same email address.
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
4
5. Create users in Active Directory. Add to Duo Users Group.
6. Download Duo authproxy from https://duo.com/docs/authproxy_reference
shared secret = btlab16*
7. Copy to C:\Program Files (x86)\Duo Security Authentication Proxy\conf
8. Start Duo authproxy service.
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
5
9. In BeyondInsight, create RADIUS Authentication configuration.
10. Add an Active Directory Group Duo Users. Grant Requestor Role for All Managed Accounts
smart rule.
11. Configure RADIUS for users.
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
6
12. Log on to Password Safe with user name and password.
13. Type push.
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
7
14. Push Request on mobile.
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
8
After the request is approved on the phone, you are logged on to Password Safe.
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
9
Configuring Duo Authentication for PowerBroker for Windows Using
RADIUS
1. Using Group Policy Editor, create new config for Duo. Increase timeout to 30 seconds, use
btlab16* for shared secret if you use config file above, and leave the default for Initial
Request (User name and Token).
2. Create a user message for Duo.
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
10
3. Create a Privileged Identity rule for an application.
4. Create a shortcut for C:\Windows\regedit.exe on your desktop.
When you start regedit.exe using the shortcut (or another method), the user message is
displayed. Type push for Method.
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
11
After you approve the request on mobile, you are in regedit.exe.
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
12
Configuring Duo Authentication for PowerBroker for Unix and Linux
Using RADIUS
To configure your Unix or Linux host for PAM/RADIUS authentication, you can take a look at the
Duo web site:
https://duo.com/docs/duounix
After you deploy the Duo Authentication Proxy on a supported Windows host in your environment, you can follow these high level steps:
1. Copy the pam_radius_auth module from /usr/lib/beyondtrust/pb to
/lib64/security/pam_radius_auth.so
2. Create a config file for your PAM server: /etc/raddb/server
Format is: ip_address:port sharedsecret timeout
For example(I am running the Duo Authentication Proxy on my BI01 Windows server):
172.16.0.111:1812 btlab16* 30
3. Edit /etc/pam.d/sshd as follows:
auth required pam_radius_auth.so
account required pam_radius_auth.so
password required pam_radius_auth.so
auth substack password-auth
auth include postlogin
----------------------
4. You may need to change /etc/ssh/sshd_config to allow for PAM(UsePam yes).
If PAM is not yet available on the Unix or Linux host, follow the steps in above document to
install it using yum.
5. Restart sshd for ssh configuration to take effect: service sshd restart
Note: If you plan to use Password Safe with Duo Multifactor authentication, configuring the
host for PAM/RADIUS will be redundant.
Configuring PBUL
We will configure and test one Use Case around pbrun and a privileged command. These steps
are based on CentOS 64 bit.
1. Copy the pam_radius_auth module from /usr/lib/beyondtrust/pb to
/lib64/security/pam_radius_auth.so
2. Create a config file for your PAM server: /etc/raddb/server
3. Create file pbul_pam_radius under /etc/pam.d :
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
13
#task control module
auth required pam_radius_auth.so
account required pam_radius_auth.so
password required pam_radius_auth.so
-----------
4. Configure a role, e.g. DemoRole, to allow elevated commands and use PAM.
5. In /etc/pb/pbul_functions.conf, add this section:
# Procedure DemoRole:
# If 'EnableDemoRole' is enabled, it allows any user in DemoUsers (default all users) to run
commands in DemoCommands (default 'id' and 'whoami') as 'root'
#
procedure DemoRole()
{
if ( EnableDemoRole && user in DemoUsers && (runhost in DemoHosts ||
TargetRunHostShortName in DemoHosts) && basename(command) in DemoCommands
)
{
SetRunEnv("root", true);
accept;
}
}
6. In /etc/pb/pbul_policy.conf, add this section:
# This enables "Demo role", which allows any user in DemoUsers (default all users) to run
commands in DemoCommands (default 'id' and 'whoami') as 'root'
# on any host in DemoHosts (default all hosts)
# By default, this role is disabled. To ensable this set EnableDemoRole to true below.
#
# IMPORTANT: note that ANY command in the list of DemoCommands will run as 'root'.
#
EnableDemoRole = true;
DemoUsers = {"amiller","jsmith1"};
DemoCommands = {"id", "whoami","useradd","userdel"};
DemoHosts = {runhost, TargetRunHostShortName};
runconfirmuser = "btuapi";
runconfirmpasswdservice = "pbul_pam_radius";
DemoRole();
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
14
7. Create a user on your Unix or Linux host to match the user in Duo, e.g. jsmith1 in above
example.
Testing the Configuration
You are ready to test the configuration.
1. Use Putty to login to Linux server as jsmith1.
2. Privileged command useradd: Permission denied.
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
15
3. Using pbrun, PAM/RADIUS authentication is triggered. Once authenticated, command
executes and user backdoor is created. For the password, type push to get a Push request
to your mobile.
4. If push is typed for the password, the Approval task is sent to the mobile.
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
16
Since userdel command is also included in policy, you can follow the same steps for userdel.
Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.
17
Configuring Duo Authentication for PowerBroker Password Safe and
Direct Connect Using RADIUS
For SSH Direct Connect, you can use the connection string below, over port 4422:
username@managed_account@asset@proxy
Example: btlab\jsmith1@mdavis_uadmin@lserver01@bi01
For RDP, you can use the connection string below, with your proxy (example BI01) as the target server, over port 4489:
username:s:domain\samaccountname+ManagedAccount+asset
Example: username:s:btlab.btu.cloud\jping+Administrator+app01
For RDP, starting with BeyondInsight 6.4.4, you can add response to RADIUS interaction in
password field, default delimiter is comma (,). For example, password=myPassword,push.