Server security is one of those topics that there’s a lot of different opinions flying around. How secure do you want to be? It really comes down to how much you want to inconvenience your users (and yourself). While there are many different ways to secure a server, this article focuses on an implementation of something I think is a nice cross between convenience and security. For a more in depth view on server security, I would recommend looking at Racker Hacker’s Blog.

However this post is for configuring ppp-pam.

What is PPP, PPP-Pam and why should I care?

PPP, or Perfect Paper Passwords, is a security model for a one time password, similar to RSA Secur ID. It was developed by the Gibson Research Corporation. You can read more about it Here. PPP-Pam, as the name implies, is a Pluggable Authentication Module incorporating PPP into PAM. A lot of services use PAM, notably SSH.

This allows you to have an extra layer of security, while only mildly inconveniencing your users. This, in combination with other good practices such as disabling root login, allows your server to happily do it’s thing without much worry of being compromised.

So how do I set it up? What do I need?

PPP-Pam seems to have very little work done on it, and the version is actually labeled 0.2, so it’s technically beta. However, I haven’t had any problems with it once installed and it’s a cheaper solution then implementing RSA SecurID.

First things first, lets get the things we need to get started.

This is assuming an Ubuntu server, as I like ubuntu. These packages should be in some form in the Red Hat/CentOS/Fedora/Etc repositories as well.

Install our packages:

# aptitude install make gcc g++ libc6-dev uuid-dev libpam0g-dev

And next we need to download PPP-Pam. 

# wget http://ppp-pam.googlecode.com/files/ppp-pam-0.2.tar.gz

Extract the tarball and change to the directory.

# tar -xvf ppp-pam-0.2.tar.gz
# cd ppp-pam

Now you can try and run the configure script and make, however mine could not build and I had to modify the MakeFile. Try 

./configure
make
make test
make install

if this fails (more then likely with an error about -fPIC after the “make” command) you will need to modify the MakeFile

make clean
vim MakeFile

in this file search for CFLAG and change the MYCFLAG line to have -fPIC on the end of it, like this:

MYCFLAGS = -I./$(srcdir)/rijndael -I./$(srcdir)/sha2 -I./$(srcdir)/mpi \
         -Wall -O3 -funsigned-char -fPIC

Now that we’ve done that, we can finish building and installing:

make
make test
make install

Now, PPP-Pam is installed, but not quite configured. First we need to modify pam to tell it to use it. 

vim /etc/pam.d/sshd

fine the @include common-auth and add the following:

@include common-auth

auth required pam_ppp.so

Next, in your /etc/ssh/sshd_config, make sure the following options are set to Yes

ChallengeResponseAuthentication yes
UsePAM yes

You will need to restart SSHD with 

service ssh restart

Now we’re almost done. As each user, you will need to run the following:

$ pppauth --key
$ pppauth --text -next 1

the second will output a table of keys, similar to this:

Nginx-test                         [1]
      A    B    C    D    E    F    G
 1: ZWxF cXDN Fm6: Dc+h X!ep rk7i sZmG
 2: %id= U7M% Lu?k 9KsJ f7b= vs+t Tj%P
 3: xnT6 LwD@ VRH8 RNJZ GV9V +m:6 t3jC
 4: U:ts EdBd Y2mn VPcr PnUD qDoR UzJX
 5: %r4v LGHS 2Mmp ng=x @6!r :32C 6DG:
 6: 9z=+ PC5h G=3p NNt7 rw38 BzW% PRmA
 7: @YvP yDew vDKb gaeP UsJf G?+% L2pa
 8: fkHY L72# YMmb G?SA PBB+ owvv oZ4d
 9: J=V! #6JF xr5N tX=+ :R!o ts5G ZSJ6
10: HN7z 965Y kx2J @4hj ?9jy h@qi RDqZ

Now we’ll test it. Open a SECOND ssh client/window. It is very important you don’t close the first one until you are 100% positive everything works. Otherwise you might be poking around a console trying to revert changes or at worst rebuilding the server. 

dewey@dewey-desktop:~$ ssh testuser@nginx.failverse.com
Password: 
Passcode 1B [1]:

In this case it wanted the code “cXDN” as the on time password. With this in place as well as other common security practices such as not allowing root login and software like fail2ban, your server will be much more resilient to attacks from people you’d much rather not be on your system.

« »