Crypto su

To use Cryptocard for sudo/su:
  1. Download and install the authserver software (specific instructions). If you download the source, edit Makefile to include the secret key assigned by SCD, and enter "sudo make install" -- the necessary PAM modules will be installed on Fedora Linux. Be sure to check /usr/local/etc/netperm-table to make sure you have the right configuration.
  2. Configure su: PAM is very flexible -- we have configured "su" to authenticate using Cryptocard using the /etc/pam.d/su file under Fedora Linux 1.0 below:
  3. Configure sudo: As with su above, we have configured sudo using PAM modules to use Cryptocard.
  4. Lock down other forms of root access: Be sure that root access is only allowed from the console (for emergencies). If a system cannot contact the Cryptocard server for instance, you may need to log onto the console. (by logging in via the console as opposed to from the network, it is less likely for a password to be sniffed. There are still security risks in console logins, however).

Using Cryptocard for su

  • Enter "su"
  • Your screen displays a response similar to:
    Cryptocard Challenge "06148934".
    
  • Generate a one-time password using the Cryptocard
    • Press the PASSWORD key. The card requests your PIN.
    • Enter your PIN and press the ENT key.
    • The one-time password appears on the card in a form like "218-2169".
    • Enter this one-time password, including the hyphen, at the prompt. For example:
      Cryptocard Challenge "06148934":  218-2169
      
    • You should now be authenticated as root.

/etc/pam.d/su

#%PAM-1.0

# This module has been modified to perform 'su' authentication by 
# cryptocard against the UCAR Cryptocard server.

auth       sufficient	/lib/security/pam_rootok.so
auth       sufficient	/lib/security/pam_ncarsnk.so.1
auth       required	/lib/security/pam_deny.so

account    required	/lib/security/pam_stack.so service=system-auth
password   required	/lib/security/pam_stack.so service=system-auth
session    required	/lib/security/pam_stack.so service=system-auth
session    optional	/lib/security/pam_xauth.so

/etc/pam.d/sudo

#%PAM-1.0
# This module has been modified to perform 'sudo' authentication by
# cryptocard against the UCAR Cryptocard server.

auth       sufficient	/lib/security/pam_ncarsnk.so.1
auth       required	/lib/security/pam_deny.so

account    required	pam_stack.so service=system-auth
password   required	pam_stack.so service=system-auth
session    required	pam_stack.so service=system-auth

UCAR/NCAR Share

                  

                  

ACOM | Atmospheric Chemistry Observations & Modeling