Admins eHow SysAdmin Tips & Tricks

August 20, 2014

Force public key authentication on SSH daemon (disable password authentication)

Filed under: Debian,linux,Security — Tags: , , , , , , — admin @ 2:18 pm

It is a very good security practice to completely disable password authentication on your Linux server and use public key authentication method.
In order to do that you need to create your own public/private key pair and put the public key in ~/.ssh/authorized_keys

mkdir -p ~/.ssh
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHV80zPWjPAwKo8Be0k1ypBRMdYDC0H2eQchu3MFsEp8av2F/18GNuHsbyMWp0p1uovP5LGZ/oPZ1ISJxLxxOBiqv0fOyb8uTDYWUUITgGvq9Fppj3BNYTjnLCUAVMKdP3VJ7IPk69ygYR1nhAXiv3dSfeG74f2eo3ZYhrylsVS2G84DUh47FuEFOsfn5s2wXVjwAgqdKBhiVQZWrptf6TEK3fZTVg4rCiRJ+YiIwTZr/CfFHbdqOiwDlGR5fWo0PHHq31lrQXzkASfi3C+ahQFnHsy4+8LdCq+TjzC3J6PbuXP1wpLdm1iP35f61hU1wX2hwhyxdvE+SBXT/PpSVB' >> ~/.ssh/authorized_keys

DISCLAIMER : The above key is my public key, if you put it on your server, I will be able to login into your server 😀
Now add/change the following config to the BEGINNING of /etc/ssh/sshd_config

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
PubkeyAuthentication yes

and restart ssh service :

service ssh restart

In order to check that only public key authentication is available run the following command on the server :

ssh -o PreferredAuthentications=none -o NoHostAuthenticationForLocalhost=yes localhost -p 22

and you should get this error :

Permission denied (publickey).

Note : Before closing your current SSH session, I highly recommend you to test that actually you can login into your server by new method. otherwise you may be locked out of your server.

July 16, 2012

How to auth Squid by Radius through PAM in Debian

Filed under: Debian — Tags: , , , , , — admin @ 9:20 am

install libpam-radius-auth

apt-get install libpam-radius-auth

open /etc/pam_radius_auth.conf

nano /etc/pam_radius_auth.conf

and add the following lines into it. Your_IP and PORT are the IP address and Port of Radius sever. SecretKey is the Secret of radius server. 3 is the timeout in seconds.

# server[:port] shared_secret      timeout (s)
YOUR_IP:PORT SecretKey 3

Change the permissions :

chown root /etc/pam_radius_auth.conf
chmod +r /etc/pam_radius_auth.conf

create /etc/pam.d/squid :

nano /etc/pam.d/squid

and add the following lines :

auth sufficient pam_radius_auth.so
account sufficient pam_radius_auth.so

Now install Squid if you have not installed it yet :

apt-get install squid

Lets try and see if Squid PAM works successfully through Radius auth, run the following command and enter username and password with a space between them :

/usr/lib/squid/pam_auth
username password
OK

OK means radius server has accepted the authentication details. ERR means there is a problem.
Now configure Squid to use pam_ath, open /etc/squid/squid.conf :

nano /etc/squid/squid.conf

Add the following lines to the begging of the file :

auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm REALM
auth_param basic credentialsttl 2 hours

Add following line in acl section :

acl password proxy_auth REQUIRED

Add following line before http_access deny all :

http_access allow password

Powered by WordPress