Two Factor Authentication for Free

RSA is a ripoff, they’re following in the footsteps of Microsoft and unfortunately many companies believe RSA is the only way to secure their network.

They’re wrong, and here’s why:

OpenVPN + Server Cert/Key + Pam Authentication Module = FREE two factor authentication.

First, let’s define two factor authentication: It’s nothing more than two requirements when you logon, tunnel or gain access to a network. For example you have a “pincode” or “password” that never changes. In addition you might have a key chain “token” that is constantly changing. Access requires both, and because the key chain token is always changing it becomes very difficult for the wrong person to gain access.

Little background on industry: The Citrix Access Gateway is probably the industry standard at providing a single factor authentication gateway for a small company. I’m guessing most companies concerned with security have something very similar. The gateway or “CAG” sits behind the companies firewall and accepts authentication requests. That’s the first factor, the second is generally a token like system requiring users to carry around a silly key chain. Why? If a user has a private certificate of authority AND a username/password access is still two factor.

What absolutely amazes me is that there are open source applications that can provide 2 factor authentication for FREE.

Here’s what a working OpenVPN server config looks like using PAM:

proto udp
;proto tcp
port 1194
dev tap
tls-server
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
duplicate-cn
#Define the ip address for the tap0 virtual device
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
#route to be established on the server
route-up “route delete -net 10.8.0.0/24”
route-up “route add -net 10.8.0.0/24 tap0”

#Allow Clients to talk to one another
client-to-client

#Push the same ping to the server….
push “ping 10”
push “ping-restart 60”
push “route 172.16.4.0 255.255.255.0” #route to another subnet
push “route 172.16.5.0 255.255.255.0” #route to another
push “route 172.16.51.0 255.255.255.0” #route to one more
push “route 172.16.8.0 255.255.255.0” #route to and another
push “route 172.16.81.0 255.255.255.0” #route to some place
push “route 172.16.70.0 255.255.255.0” #route to northern US
push “route 172.16.33.0 255.255.255.0” #route to more north
push “dhcp-option DOMAIN companyname.com” #push the DNS domain suffix

comp-lzo
status-version 2
status /var/log/openvpn-status.log
verb 5
# Keep tunnel open with ping every 10 Seconds, restart ever 120 Seconds
keepalive 10 120

plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
client-cert-not-required

I’m going to skip a whole bunch of steps to get this working (see openvpn.org) but if the server is running with the above configuration (with no errors) you’ll have a two factor authentication: 1). Using the signed Certificate of Authority and 2). The username/password on the Linux box access by the openvpn-auth-pam.so module above.

Win XP/Vista/32bit/64bit Client Setup:

1). Install OpenVPN GUI v1.0.3
2). Load the ca.crt and client.opvn file.

Here’s an example of the client.ovpn file:

client
dev tap

;proto tcp
proto udp
remote 1.2.3.4 1194 (1.2.3.4 should be the public ip of the server)
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
comp-lzo
verb 3
mute 20
auth-user-pass

Save yourself $10k or $20k, learn OpenVPN.

-Andy

3 thoughts on “Two Factor Authentication for Free

  1. Someone steals your laptop with the cert already on it and recovers the password as Windows keeps that oh so secret (or people write it on the sticky) and your two-fold authentication just went to crap. SecurdID is most often setup as a PIN + an alrgorthmic number that expires every 60 seconds. Steal the laptop, hack the password, you still aren’t in as you stil need the SecurID and PIN. Even if the SecurID is chained to the laptop, the PIN can vary between 4 and 8 digits and you don’t know if the PIN goes before the token digits or after. You are not cracking that. Your idea has merrit on being cheap, but cheap only gets you so far.

  2. Apparently “Anonymous” doesn’t want to be known. He also doesn’t realize that the key chain is just as static as a post-it note. If a user has both factors they’ll get in.

    He also neglects to mention Open Radius as another free alternative if someone wants to mimic the constantly changing keychain.

    Yawn,
    Andy

Comments are closed.