Setting up SSH authentication inside a VPN using domain credentials

How to setup JumpCloud with RADIUS to grant your organization users SSH access to VPN machines with no internet access using their domain credentials.

Introduction

Our organization development environment resides, obviously, inside a VPN. Starting small, initially we managed our VPN users manually. Each new user received a G Suite account, a VPN account to access the development environment, and an RSA key to access their development machines.

As our organization grew, we realized that we should find a way to simplify the registration and authentication, and yet make it even more secure.

We decided to use JumpCloud, a cloud directory that consolidates user identity management, integrates with major platforms such as Google G Suite and Microsoft Office 365, and provides network and application access services.

After we connected our VPN with JumpCloud, we wanted to handle the authentication inside the VPN. Our plan was to setup a RADIUS server inside our VPN as a proxy to our JumpCloud RADIUS-as-a-Service, such that when a user tries to login to a machine, it will authenticate him against JumpCloud using the RADIUS proxy.

Requirements

In our original setup we had our machines managed in AWS and users managed in Google G Suite. However, this article only assumes that your organization users are managed over JumpCloud. The examples are directed for Ubuntu machines, but note that a similar solution is possible for other linux distributions.

I decided to use FreeRADIUS for our RADIUS proxy server, since apart of it being free, it is very easy to install and maintain. Setting up the proxy, however, was in my opinion a little confusing and poorly documented, so I decided to write a step-by-step detailed explanation of the process.

Setting Up the RADIUS Server

This part could not be easier:

apt-get install freeradius

Once that’s done, you have a fully-functional RADIUS server running on your machine.

Follow the Getting Started guide for more info regarding FreeRADIUS installation.

Log into the JumpCloud Administrator Console, and select RADIUS on the left panel. Then click on the green + icon to add a new server:

  • In the Server Name box just type a friendly name.
  • In the IP address box type the IP address of your new RADIUS server.
    If your RADIUS server is behind NAT, type the IP address of the NAT gateway.
  • Copy the content of the Shared Secret box, we will use it later.
  • In the User Groups tab, select the user groups that can be authenticated using the RADIUS server.

Once you’re done, click on the save button at the bottom.

JumpCloud New RADIUS Server screen

Back to your RADIUS server. Edit the /etc/freeradius/proxy.conf file. This is the part that determines that any request that comes from your domain users will be proxied to JumpCloud for authentication.

  • Create a host for each of the JumpCloud RADIUS servers in your servers region, for example if your region is US West use:
home_server remote_radius_1 {
type = auth
ipaddr = 54.203.27.225
port = 1812
secret = [The shared secret copied from JumpCloud]
}

You can add additional hosts for redundancy. A list of JumpCloud RADIUS servers can be found here: https://support.jumpcloud.com/customer/portal/articles/2406827-configuring-a-wireless-access-point-wap-vpn-or-router-for-jumpcloud-s-radius

  • Create a hosts pool for your domain, and link the created hosts:
home_server_pool my_pool {
type = fail-over
home_server = remote_radius_1
# Add additional home_server tags if needed
}
  • Create a realm section for your domain, and link the created hosts:
realm yourdomain.com {
auth_pool = my_pool
}

This will proxy authentication of users in the format of username@yourdomain.com to JumpCloud. If you would like to access using username only without having to use the suffix, edit the /etc/freeradius/users file and add the following line:

DEFAULT Proxy-To-Realm := “yourdomain.com”

This will make FreeRADIUS treat users as part of your domain by default, and authenticate them against JumpCloud.

Finally, restart the freeradius service:

service freeradius restart

Testing the Authentication

Run the following command to test your authentication against JumpCloud (use username and password from a real account, such as G Suite, to see if you can authenticate):

radtest DOMAIN_USERNAME DOMAIN_PASSWORD localhost 0 testing123

A successful authentication will return an Access-Accept response.

If the authentication fails, the best way to test it is to run the RADIUS server in debug mode, so it will print an extended log to stdout, by running:

freeradius -X

Then, run the test command again, and you should get a better idea regarding what went wrong.

Adding a Client

A client is a machine that uses the RADIUS server for authentication. In our case, we want to authenticate SSH access to the client machine.

On your RADIUS server, add a client section to the /etc/freeradius/clients.conf file as follows:

client YOUR_CLIENT_NAME {
ipaddr = [The IP address of your client machine]
secret = [A secret phrase to authenticate your client against the RADIUS server]
}

Then, restart the freeradius service.

Perform the following steps to setup a client machine:

  • Install the PAM RADIUS authentication library:
apt-get install libpam-radius-auth
  • Edit the /etc/pam_radius_auth.conf file. Add the following line:
    RADIUS_SERVER_IP:RADIUS_PORT CLIENT_SECRET 3
    Where CLIENT_SECRET is the secret phrase that you assigned to this client in the server clients.conf file, and 3 is the requests timeout.
  • Update the /etc/pam_radius_auth.conf file permissions as follows:
chown root /etc/pam_radius_auth.conf
chmod go-rwx /etc/pam_radius_auth.conf
  • Add the following lines to the /etc/pam.d/sshd file:
auth required pam_radius_auth.so
auth required pam_env.so # [1]
auth required pam_env.so envfile=/etc/default/locale
  • Comment-out the @include common-auth line in /etc/pam.d/sshd file.
  • Update the /etc/ssh/sshd_config file:
    Set the attribute PasswordAuthentication yes
    Then, restart the sshd service
  • Make sure that the client machine has a user with the same name as your domain login. You can add the user by executing the following command:
    useradd -d /home/username -s /bin/bash username
    Note that this command doesn’t create a password for the user — this is intentional, as we want to connect using the domain credentials.

That’s it! Now you can SSH to your client machine using your domain credentials.

Summary

These days, organizations are using substantial amount of internal and external services, and identity management can become a heavy task, especially for small organizations.

This article covered a specific use-case of applying a single identity by using domain credentials to access VPN machines (that not necessarily have internet access). I believe this use-case can be very useful, especially for small organizations that still don’t have sophisticated networks with thousands of users and machines.

There are, of course, plenty of other use-cases that can take advantage of this solution or similar ones.

The JumpCloud Support Center and the FreeRADIUS Documentation are both good places to start looking for information of additional use-cases and solutions.

I am writing code ever since I learned how to use a keyboard and I still think that nothing beats the feeling of seeing your code runs as you expect. hanetz.net

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store