Network Management Strategies for the CIO
First in the three-part series, "Using TACACS+ to manage Cisco networking devices ."
 |
|
Requires Free Membership to View
| Read about Michael | |
| |
- The ability to limit NAS access to the daemon using libwrap, from Wietse Venema's TCP Wrappers. The source is available at ftp://ftp.porcupine.org/p ub/security/index.html/.
- The ability to permit or deny (by user or group) access to NAS's using REGEX-based access control lists.
- The daemon also expands the TACACS+ ability to provide password authentication by adding the ability to define and enable a password for a user or group.
Adding thor:
Reminder -- Only use this method if you are directly connected. If you are using telnet or rlogin exit with no password and use keyinit -s.
Enter secret password:
Again secret password:
ID thor s/key is 99 le49885
AWE JOAN JAG LOON PAD PEP
thor@hammer bin$
At initialization, user derived secret password is hashed 99 times using the MD4 or MD5 hash algorithm. The last key of the run (in this case number 99) is then stored in the S/KEY password file /etc/skeykeys. When the user logs in, S/KEY asks for the next recursive password to the one has stored in /etc/skeykeys. Look at this login example: login: thor
s/key 98 le49885
Password:
In this example, since it is the first login, it uses the hash that generated when the user initialized S/KEY. Here is what the /etc/skeykeys file looked like before the user authenticated: thor 0099 le49885 04b43c7d59231866 Jan 08,2002 23:18:16
The user password response can be calculated using an S/KEY calculator or the user could print out a list of OTPs. (See the end of this article for a list of S/KEY calculator sources.) The password is calculated using the hash number, salt, derived form the user login or hostname (depending on implementation) and the user's secret password. The result is 6 strings of text characters or words: LIFE BRAN OATH ROOD BOGY TUM
Once the password is calculated and entered, it is hashed and compared to the stored key. If they match, your login is successful. S/KEY then updates /etc/skeykeys with the hash you just authenticated with, to use as a comparison for the next login. You can see that from looking at the /etc/skeykeys file: thor 0098 le49885 6c84eb77dbb3b69a Jan 09,2002 00:15:26
When the key count reaches zero, you will be unable to login. So prior to reaching zero, you will want to generate a new key sequence. By default, 99 keys are generated. It is possible to generate more at initialization using the [-n count] flag where count is 1 to 10,000, indicating the number of keys you want generated. To generate new keys run the skeyinit with the [-s] flag. Building your SSA system The assumption here is that you have loaded Linux onto the server, it is up and running, and it has access to the Internet. To start building the server, you will need to download each of the packages and build and install them in the following order: Step 1. Building TCP wrappers TCP wrappers (TCPD) is an application that allows us to permit or deny access or to log and respond to an unauthorized access to any "wrapped" inetd service. Inetd is the "super process" responsible for launching network services like telnet and ftp. Functionally, TCPD operates as a proxy and an access control filter. Tcpd "listens" for incoming connections to the wrapped service's port. Connections are filtered, and those with permitted origin addressing are handed off the service daemon. Many network service daemons also provide the ability to use the "wrapper: permit/deny" facility for access control when running as a standalone service. Access control for wrapped services are managed using two files: /etc/hosts.allow and /etc/hosts.deny. These files make up the permit/deny rule base, which can be defined for all services, or on a service-by-service basis. Filtering definitions can use either hostnames/ipaddresses to define access for a single hosts or domain names or IP prefixes to define access for groups. Building the TCPD daemon is easy and comes with good documentation. There are also numerous resources on TCP wrappers available on the web. Here are the steps of building TCPD and its supporting applications: Extract the source: tar xvfz tcp_wrappers_7.6.tar.gz
cd tcp_wrappers_7.6
Edit the Makefile, and uncomment the STYLE option to enable the TCP wrappers language extension option, which gives you the ability to have TCPD execute commands and print message banners when users log in to services (see the hosts_options.5 man page for all of the options). STYLE = -DPROCESS_OPTIONS # Enable language extensions.
The second change is a custom option, which is to direct TCPD syslog messages to a specific log file. This has a few steps. First, comment out the FACILITY definition and add a new one. In the example below, event messages are sent to syslog facility LOCAL7; the priority should be left unchanged at INFO. #FACILITY= LOG_MAIL # LOG_MAIL is what most sendmail daemons use
FACILITY= LOG_LOCAL7 # local7 reporting requires that you edit syslog.conf
Now save your edits and close the Makefile. To have syslogd direct the messages to the correct file, the log file needs to be created and the /etc/syslogd.conf file needs to be edited. To create the log file type the following: touch /var/log/tcpd
This creates the log file var/log/tcpd. Then edit the /etc/syslog.conf file and add the following line: local7.info /var/log/tcpd
Close the /etc/syslog.conf file and restart syslogd, Now, build the daemon: make REAL_DAEMON_DIR=/usr/sbin linux
Once the build is completed, install the daemon and supporting apps. cp -f safe_finger /usr/sbin
cp -f tcpd /usr/sbin
cp -f tcpdchk /usr/sbin
cp -f try-from /usr/sbin
cp -f libwrap.a /usr/lib
Now TCPD and libwrap.a are installed, so we are ready to move on to building S/KEY. Step 2. Building S/KEY The S/KEY build is very straightforward, just use the following commands: tar xvfz skey-1.1.5.tar.gz
cd skey-1.1.5.
./configure --prefix=/usr --sysconfdir=/etc
make
make install
Once installed, the S/KEY applications will be installed in /usr/bin, the libskey.a will be installed in /usr/lib, and the skeykeys file will be located in /etc. Step 3. Building SSH Once SSH is installed, there is no reason to install ftp or telnet on the server. If you are using a Red Hat "workstation" install, you will have the ftp and telnet clients but not the service daemons (by default, no network services are configured). The SSH daemon will support TCPD-style host filtering using the /etc/hosts.allow and /etc/hosts.deny files. By default, all hosts are permitted access. To restrict access to localhost and by IP subnet prefix, edit the hosts.allow and hosts.deny files as follows (change the addresses to match you network requirements): # hosts.allow
# service : access control (ALL, {ip prefix}, host or domain name, {host ip # address}
#
sshd : LOCAL, 192.168.100, 192.168.101, 192.168.2.1
#hosts.deny
#
ALL:ALL
The SSH build takes some time, but is also easy. To start, OpenSSL must be installed. The build process is as follows: tar xvfz openssl-0.9.6c.tar.gz cd openssl-0.9.6c
./config -prefix=/usr
make install
OpenSSH is dependent on OpenSSL, so to install the package or compile the source you will need to get OpenSSL at http://www.openssl.org/. Specifically, you need the OpenSSL header files that will be installed in /usr/include/openssl, and libssl.a for installation in /usr/lib. If you do not use the [-prefix] config option flag as used in the example above, the library and header files will be installed in /usr/local/include and /usr/local/lib. Once OpenSSL is installed, OpenSSH can be built. Like the OpenSSL build, we need to define some configuration parameters to include support for S/KEY OTP and TCP wrappers support. Here is the build process: tar xvfz openssh-3.0.2p1.tar.gz
cd openssh-3.0.2p1
./configure --prefix=/usr --sysconfdir=/etc --with-tcp-wrappers=/usr/lib / --with-skey=/usr/lib
make install
The build will install the SSH client programs in /usr/bin, configuration file and host keys in /etc, and the daemon in /usr/sbin. To have sshd launch at boot, edit /etc/rc.d/rc.local and add the following: Echo Starting sshd
/usr/sbin/sshd
Save your changes to /etc/rc.d/rc.local, and the SSH install is complete. Step 4. Building the TACACS+ daemon The last step is to build the TACACS+ daemon. Once you have downloaded the source from Shrubbery.net and expanded the tar file, you can proceed. tar xvfz tac_plus.F4.0.4.alpha+acl+libwrap.tar.gz
cd tac_plus.F4.0.4.alpha+heas/
The distribution Makefile needs to be edited somewhat. Specifically, the OS compiler options, library paths, and some operational parameters need to be defined. By default, the Makefile is configured to build a daemon for Solaris. To build the definition to Linux, the Solaris options need to be commented out: # For Solaris (SUNOS 5.3, 5.4, 5.5, 5.6) uncomment the following two lines
#OS=-DSOLARIS
#OSLIBS=-lsocket -lnsl
And the Linux definitions need to be uncommented. Since we are running Red Hat 6.x, use the second Linux definition. # For LINUX
# OS=-DLINUX
#
# On REDHAT 5.0 systems, or systems that use the new glibc,
# you might instead need the following:
OS=-DLINUX -DGLIBC
OSLIBS=-lcrypt
Next, you need enable S/Key functionality and define where your S/Key library and include files are. Make the following edits: # Definitions for SKEY functionality DEFINES = -DSKEY
LIBS = /usr/lib/libskey.a
INCLUDES =-I../usr//include
Once S/Key is defined, you need to define where your libwrap.a library is located. If you followed the install steps so far, use the following path values: # Use tcp_wrappers to authenticate connecting host(s)
TCPWRAP = -DLIBWRAP
LIBWRAP = -L/usr/lib -lwrap
After S/KEY, the process id (PID) file location needs to be defined. Select the /etc directory option. #PIDFILE = -DTAC_PLUS_PIDFILE="/var/run/tac_plus.pid"
PIDFILE = -DTAC_PLUS_PIDFILE="/etc/tac_plus.pid"
The last edit defines the installation paths for the tac_plus daemon and the man page, which are installed in /usr/local by default. Change the daemon install location to /usr/sbin (which is where all of the other network service daemons are located) and the man page to /usr/man/man1. install:
cp tac_plus /usr/sbin
cp tac_plus.1 /usr/man/man1/tac_plus.1
Save your changes to the Makefile then run:
make
make install
Now that the daemon is installed, we need to configure the system to run the service at boot. We will follow the same steps we used for configuring the sshd daemon to load at boot time. Edit /etc/rc.d/rc.local and add the following: echo Starting TACACS....
/usr/sbin/tac_plus -C /etc/tacacs.conf -d 16
Save your changes to /etc/rc.d/rc.local. The daemon can be launched from the command line, but before we can do so we need to create a configuration file. The TACACS+ distribution comes with extensive documentation that you should review. In Part Three of this series, we will look at advanced daemon configuration. To get the daemon started, we need to create a simple configuration file that will define the TACACS server/client key, accounting file location, and a single login user. #Base Configuration File For TACACS+ development version
#
# Server/Client Shared Key
key = testkey
#
# Accounting File
accounting file = /var/tmp/acctfile
#
# Users
user = testuser {
login = cleartext "password"
}
# Global enable password
user = $enab15$ {
login = cleartext "enablepswd"
}
Now save the file as /etc/tacacs.conf. We're ready to launch the daemon: /usr/sbin/tac_plus -C /etc/tacacs.conf -d 16
The [-C] defines where the configuration file is located, and the [-d 16] flag turns on debugging and sets the debugging level. Output is sent to /var/tmp/tac_plus.log. Here is the debug output indicating a successful launch of the daemon: Thu Jan 10 11:28:51 2002 [30374]: Reading config
Thu Jan 10 11:28:51 2002 [30374]: Version F4.0.4.alpha Initialized 1
Thu Jan 10 11:28:51 2002 [30374]: tac_plus server F4.0.4.alpha starting
Thu Jan 10 11:28:51 2002 [30375]: Backgrounded
Thu Jan 10 11:28:51 2002 [30376]: uid=0 euid=0 gid=0 egid=0 s=0
To verify the daemon is running, you can use the following command string: ps -aux | grep `cat /etc/tac_plus.pid`
Conclusion With the server up and running, the next step is to configure the routers and switches to use TACACS+ authentication and accounting, which we will look at in Part Two of this series. While this is sizable task, you will find the implementation of an SAA will become a valuable asset to your ability to securely manage your network infrastructure. So, stay tuned.
Links for S/KEY calculators
- Windows and DOS:
http://wuarchive.wustl.edu/packages/security/skey - Macintosh:
Carbon/OS X
http://www.orange-carb.org/SkeyCalc/
MacOS
ftp://ftp.msri.org/pub/skey/skey.hqx"> - XWINDOWS:
ftp://ftp-sop.inria.fr/pub/skey
ftp://ftp.porcupine.org/pub/security/index.html - PalmOS:
http://astro.uchicago.edu/home/web/valdes/pilot/pilOTP/
This was first published in January 2002
Join the conversationComment
Share
Comments
Results
Contribute to the conversation