Configuring Duo Authentication - BeyondTrust€¦ · Configuring Duo Authentication for PowerBroker...

WHITE PAPER

Configuring Duo Authentication Quick Guide for PBPS, PBW and PBUL

Configuring Duo: Quick Guide for PBPS, PBW and PBUL © 2018. BeyondTrust Software, Inc.

1

Contents Configuring Duo Authentication for PowerBroker Password Safe Using RADIUS.......................... 2

Configuring Duo Authentication for PowerBroker for Windows Using RADIUS ............................ 9

Configuring Duo Authentication for PowerBroker for Unix and Linux Using RADIUS.................. 12

Configuring PBUL .................................................................................................................. 12

Testing the Configuration ..................................................................................................... 14

Configuring Duo Authentication for PowerBroker Password Safe and Direct Connect Using

RADIUS .......................................................................................................................................... 17


2

Configuring Duo Authentication for PowerBroker Password Safe Using

RADIUS

1. Select Start trial from duo.com web site.

2. Install mobile app.


3

3. Create a few users in Duo as Admin.

4. When you create the user, select an email address that will allow you to enroll the user

after you click Send Enrollment Email. You can set all users with same email address.


4

5. Create users in Active Directory. Add to Duo Users Group.

6. Download Duo authproxy from https://duo.com/docs/authproxy_reference

shared secret = btlab16*

7. Copy to C:\Program Files (x86)\Duo Security Authentication Proxy\conf

8. Start Duo authproxy service.

https://duo.com/docs/authproxy_reference


5

9. In BeyondInsight, create RADIUS Authentication configuration.

10. Add an Active Directory Group Duo Users. Grant Requestor Role for All Managed Accounts

smart rule.

11. Configure RADIUS for users.


6

12. Log on to Password Safe with user name and password.

13. Type push.


7

14. Push Request on mobile.


8

After the request is approved on the phone, you are logged on to Password Safe.


9

Configuring Duo Authentication for PowerBroker for Windows Using

RADIUS

1. Using Group Policy Editor, create new config for Duo. Increase timeout to 30 seconds, use

btlab16* for shared secret if you use config file above, and leave the default for Initial

Request (User name and Token).

2. Create a user message for Duo.


10

3. Create a Privileged Identity rule for an application.

4. Create a shortcut for C:\Windows\regedit.exe on your desktop.

When you start regedit.exe using the shortcut (or another method), the user message is

displayed. Type push for Method.


11

After you approve the request on mobile, you are in regedit.exe.


12

Configuring Duo Authentication for PowerBroker for Unix and Linux

Using RADIUS

To configure your Unix or Linux host for PAM/RADIUS authentication, you can take a look at the

Duo web site:

https://duo.com/docs/duounix

After you deploy the Duo Authentication Proxy on a supported Windows host in your environment, you can follow these high level steps:

1. Copy the pam_radius_auth module from /usr/lib/beyondtrust/pb to

/lib64/security/pam_radius_auth.so

2. Create a config file for your PAM server: /etc/raddb/server

Format is: ip_address:port sharedsecret timeout

For example(I am running the Duo Authentication Proxy on my BI01 Windows server):

172.16.0.111:1812 btlab16* 30

3. Edit /etc/pam.d/sshd as follows:

auth required pam_radius_auth.so

account required pam_radius_auth.so

password required pam_radius_auth.so

auth substack password-auth

auth include postlogin

----------------------

4. You may need to change /etc/ssh/sshd_config to allow for PAM(UsePam yes).

If PAM is not yet available on the Unix or Linux host, follow the steps in above document to

install it using yum.

5. Restart sshd for ssh configuration to take effect: service sshd restart

Note: If you plan to use Password Safe with Duo Multifactor authentication, configuring the

host for PAM/RADIUS will be redundant.

Configuring PBUL

We will configure and test one Use Case around pbrun and a privileged command. These steps

are based on CentOS 64 bit.

1. Copy the pam_radius_auth module from /usr/lib/beyondtrust/pb to

/lib64/security/pam_radius_auth.so

2. Create a config file for your PAM server: /etc/raddb/server

3. Create file pbul_pam_radius under /etc/pam.d :

https://duo.com/docs/duounix


13

#task control module

auth required pam_radius_auth.so

account required pam_radius_auth.so

password required pam_radius_auth.so

-----------

4. Configure a role, e.g. DemoRole, to allow elevated commands and use PAM.

5. In /etc/pb/pbul_functions.conf, add this section:

# Procedure DemoRole:

# If 'EnableDemoRole' is enabled, it allows any user in DemoUsers (default all users) to run

commands in DemoCommands (default 'id' and 'whoami') as 'root'

#

procedure DemoRole()

{

if ( EnableDemoRole && user in DemoUsers && (runhost in DemoHosts ||

TargetRunHostShortName in DemoHosts) && basename(command) in DemoCommands

)

{

SetRunEnv("root", true);

accept;

}

}

6. In /etc/pb/pbul_policy.conf, add this section:

# This enables "Demo role", which allows any user in DemoUsers (default all users) to run

commands in DemoCommands (default 'id' and 'whoami') as 'root'

# on any host in DemoHosts (default all hosts)

# By default, this role is disabled. To ensable this set EnableDemoRole to true below.

#

# IMPORTANT: note that ANY command in the list of DemoCommands will run as 'root'.

#

EnableDemoRole = true;

DemoUsers = {"amiller","jsmith1"};

DemoCommands = {"id", "whoami","useradd","userdel"};

DemoHosts = {runhost, TargetRunHostShortName};

runconfirmuser = "btuapi";

runconfirmpasswdservice = "pbul_pam_radius";

DemoRole();


14

7. Create a user on your Unix or Linux host to match the user in Duo, e.g. jsmith1 in above

example.

Testing the Configuration

You are ready to test the configuration.

1. Use Putty to login to Linux server as jsmith1.

2. Privileged command useradd: Permission denied.


15

3. Using pbrun, PAM/RADIUS authentication is triggered. Once authenticated, command

executes and user backdoor is created. For the password, type push to get a Push request

to your mobile.

4. If push is typed for the password, the Approval task is sent to the mobile.


16

Since userdel command is also included in policy, you can follow the same steps for userdel.


17

Configuring Duo Authentication for PowerBroker Password Safe and

Direct Connect Using RADIUS

For SSH Direct Connect, you can use the connection string below, over port 4422:

username@managed_account@asset@proxy

Example: btlab\jsmith1@mdavis_uadmin@lserver01@bi01

For RDP, you can use the connection string below, with your proxy (example BI01) as the target server, over port 4489:

username:s:domain\samaccountname+ManagedAccount+asset

Example: username:s:btlab.btu.cloud\jping+Administrator+app01

For RDP, starting with BeyondInsight 6.4.4, you can add response to RADIUS interaction in

password field, default delimiter is comma (,). For example, password=myPassword,push.

Configuring Duo Authentication - BeyondTrust€¦ · Configuring Duo Authentication for PowerBroker...

Documents

Transcript of Configuring Duo Authentication - BeyondTrust€¦ · Configuring Duo Authentication for PowerBroker...