9.5.  Using One Time Passwords

9.5.1.  Introduction

In this section, we will describe how to configure ThinLinc for authentication against One Time Password (OTP) servers, such as the RSA SecurID. By using OTPs, you can increase the system security.

9.5.2.  General Requirements

  • An OTP server which accepts the OTP twice. This is due to the ThinLinc architecture: The client first contacts the master machine, and then the agent host. When using RSA SecurID, we recommend using the Steel-Belted Radius server as a "Token Caching Server".

  • An user database (directory server) that is supported both by the operating system on the ThinLinc servers, as well as the OTP server. We recommend using a LDAP directory server, such as Novell eDirectory.

  • The operating systems on the ThinLinc servers must support the OTP servers authentication protocol. We recommend using the RADIUS protocol, by using the pam_radius_auth PAM module from the FreeRADIUS project.

  • The SSH server on the ThinLinc servers must accept "keyboard-interactive" authentication. It's recommended to disable "password" authentication.

9.5.3.  Configuration for RSA SecurID

This section describes how to deploy a OTP solution based on RSA SecurID with ThinLinc. When using this solution, the SecurID PASSCODEs are used instead of normal passwords. The PASSCODE should be entered in the ThinLinc client password input field. Please observe the following limitations:

  • When SecurID requests additional information, in addition to the PASSCODE initially entered, a popup dialog will be used. This happens, for example, in Next Token or New PIN mode. After finishing the dialog, the ThinLinc client will display a "Login failed!" error message. This happens since the SBR server clears the token cache when additional information is requested. When this happens, wait until the token changes once more, and login again.

  • The ThinLinc Single Sign-On mechanism will store the string entered in the clients password input field. When using SecurID, this is the PASSCODE, which cannot be used for further logins. To use the Single Sign-On mechanism, the user must be prompted for their real password. This can be done with the program tl-sso-update-password. To configure ThinLinc so that this program is executed during login, execute this command:

    # ln -s /opt/thinlinc/bin/tl-sso-update-password /opt/thinlinc/etc/xstartup.d/05-tl-sso-update-password

  • If an external application server is used, and you want to able to establish connections with the Single Sign-On mechanism, this application server cannot be SecurID-protected. This includes Windows Remote Desktop Servers. When using SecurID-protected Windows domains, users and computers can be excluded from SecurID protection at the domain controller, by selecting Control Panel->RSA ACE Agent->Domain->Advanced Domain Options . Windows servers that are excluded in this fashion should not have the RSA Ace Agent installed.

The configuration example below assumes that you are using LDAP and RADIUS, and the Steel-Belted Radius (SBR) server. Step 8 through 11 should be repeated on all ThinLinc servers.

  1. Install and configure RSA Authentication Manager (ACE server). For basic configuration tasks such as creating users and assigning tokens, we refer to the RSA documentation.

  2. Create a new Agent Host for the SBR server, with type "Net OS Agent". Select which users should be able to login through ThinLinc. To allow all users, check the "Open to All Locally Known Users" checkbox.

  3. Generate a configuration file for the SBR server, by selecting Agent Host->Generate Configuration File. Copy this file to c:\windows\system32 on the machine running SBR.

  4. Open the SBR Administrator. Create clients for all ThinLinc servers, using default settings. Make sure you enter a shared secret.

  5. Use SBR Administrator to create a SecurID user. The user should typically be of type <ANY>.

  6. Modify the SBR Authentication Policy, so that the only active method is "SecurID User". Exit SBR Administrator.

  7. Enable ACE authentication caching by editing the configuration file c:\radius\service\radius.ini and set:

    [SecurID]
    CachePasscodes          = yes
    SecondsToCachePasscodes = 60
    

    Restart SBR after changing the configuration file. For more information about ACE authentication caching, refer to the Steel-Belted Radius Tech Note RD310.

  8. Install pam_radius_auth. Some distributions, such as SUSE, includes this module.

  9. Configure pam_radius_auth, by creating /etc/raddb/server . It should contain the SBR server name, port, and a shared secret. Example:

    myotpserver.example.com:1812 mysecret
    

  10. Configure the ThinLinc servers for RADIUS authentication by modifying its PAM configuration. The exact procedure depends on the system, but typically, this can be done by modifying /etc/pam.d/system-auth, by inserting the line

    auth        sufficient    /lib/security/pam_radius_auth.so use_first_pass
    

    after the line containing pam_unix.so.

  11. Restart the VSM and SSH server.

  12. Login to the system with a SSH client, and verify that an OTP is required and accepted.

  13. Login to the system with a ThinLinc client, and verify that an OTP is required and accepted.