User Tools

Site Tools


Remote access is often a risky proposition, mostly due to poor authentication. This document will show how simple it is to add two-factor authentication to X2Go on Ubuntu 12.04, thanks to it's support for PAM.

We recommend organizations standardize on an authentication protocol and choose products and plan implementations around that choice. We recommend RADIUS. All major remote access solutions support it. You can tie in your directory infrastructure into the authentication process and all major two-factor authentication solutions support it, including WiKID. Of course, PAM supports radius.

To install pam-radius on Ubuntu:

$ sudo apt-get install libpam-radius-auth

Now we just need to tell pam-radius where to proxy the authentication requests. Edit the file /etc/pam_radius_auth.conf. Edit the line other-server; other-secret 3; replacing 'other-server' with IP address or hostname of your WiKID Strong Authentication server or radius server if you have one set up in between WiKID and your servers and change 'other-secret' the shared secret for this network client.

Now we need to tell PAM to use radius for authentication for SSH/X2Go.

Edit the file /etc/pam.d/sshd.

Add the line: auth sufficient

Just above the line: # Standard Un*x authentication. @include common-auth

That's all there is to it. Users will still need an account on the system. Users will login with their username and the one-time passcode.

While we think you should use two-factor authentication (surprise, we sell it!). This same setup can be used with Freeradius/OpenLDAP and NPS/AD to tie your authentications into your directory with or without two-factor.

doc/deployment-stories/wikid.txt · Last modified: 2014/07/14 14:41 by nowen