SSH Authentication using PAM and RADIUS IN Linux Support for Ubuntu, CentOS, Redhat, BackTrack Linux Server
advertisement
2022/10/19 SSH Authentication using PAM and RADIUS IN Linux | Support for Ubuntu, CentOS, Redhat, BackTrack Linux Server Support for Ubuntu, CentOS, Redhat, BackTrack Linux Server Your optimum server solutions SSH Authentication using PAM and RADIUS IN Linux May 3, 2013 by 99linux SSH is being used for secured remote connectivity in Linux and UNIX for a very long time. It gives strong encrypted tunnel between SSH server and client. On the other hand RADIUS is generally being used for dial-up authentication and act as a central server for multiple NAS (Network Access Server). There are few cases where you may want to use RADIUS for your SSH authentication instead of using your local /etc/shadow file. For example, if you have multiple Linux servers but you want to manage the authentication from central database. Though there are some other mechanism like NIS or LDAP, still RADIUS is a choice for it’s ease of use and some unique features. In this article we will try to show you how you should configure your Linux System to authenticate SSH session using PAM and RADIUS. We have tested it using CentOS (http://resources.isystemadmin.com/centos/), RedHat (http://resources.isystemadmin.com/redhat/), Ubuntu andSlackware (http://resources.isystemadmin.com/slackware/), but you can try it with any Linux or UNIX. The command reference is applied to a CentOS console. Assumption and Prerequisites: 1. Make sure you have pam, pam-devel, make, gcc packages are installed. 2. The server we want to use RADIUS based authentication has a hostname “Server1″ with IP a.b.c.10 3. You have at least one RADIUS server ready to authenticate users. In another article we will try to guide you how to configure and RADIUS server for Linux. For this example we consider RADIUS Servers IP is x.y.z.100. 4. RADIUS Secret for your server “Server1″ is “W3L0veiSystemAdm1n” and properly configured in RADIUS server (x.y.z.100). Download Radius Client from ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz (ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz) and then follow below instructions: https://99linux.wordpress.com/2013/05/03/ssh-authentication-using-pam-and-radius-in-linux/ 1/4 2022/10/19 1 2 3 4 SSH Authentication using PAM and RADIUS IN Linux | Support for Ubuntu, CentOS, Redhat, BackTrack Linux Server tar zxf pam_radius-1.3.17.tar.gz cd pam_radius* make cp pam_radius_auth.so /lib/security (or /lib64/security if it’s a 64 bit if system) If your pam library resides in different folder you have to save there instead of /lib/security Change the /etc/pam.d/sshd file and instruct the system to use pam_radius_auth.so module to check RADIUS server for authentication and accounting. 1 2 3 4 5 6 7 8 9 10 auth sufficient auth include account sufficient account required account include password include session sufficient conf=/etc/raddb/server session optional session include session required pam_radius_auth.so debug system-auth pam_radius_auth.so debug pam_nologin.so system-auth system-auth pam_radius_auth.so debug pam_keyinit.so force revoke system-auth pam_loginuid.so The syntax of this file can be found in pam man pages. Be careful about ‘sufficient’, ‘required’ etc terms. Here we defined, if a user is being authenticated by RADIUS server the system will consider it ‘sufficient’ and will not check with other authentication modules. Be ware that, above example will still allow local authentication. Now you’ve seen we used /etc/raddb/server file in PAM configuration file above. This file will be used by our Server1 to identify the RADIUS server and the shared secret between them. If you have more than one RADIUS server you have just add more lines. The 3rd column of each line is an optional parameter to instruct how many seconds it will wait before trying next RADIUS server. The syntax sample: 1 <radius server ip> SharedSecret WaitSeconds Sample: 1 x.y.z.100 W3L0veiSystemAdm1n 7 Again don’t forget to use same shared secret for both client and servers. b) Restart ssh daemon (sshd) Now restart ssh daemon to use new sshd for pam file. https://99linux.wordpress.com/2013/05/03/ssh-authentication-using-pam-and-radius-in-linux/ 2/4 2022/10/19 1 SSH Authentication using PAM and RADIUS IN Linux | Support for Ubuntu, CentOS, Redhat, BackTrack Linux Server #service sshd restart Now your System is ready to be authenticated using RADIUS. Remember that RADIUS is a plain text protocol, though it uses the shared secret to encrypt the password. Still take necessary measures to protect the communication between RADIUS Server and Client. Remember that you still require /etc/passwd file (or NIS or similar mechanism) to identify the user to the system. Just you are not using /etc/shadow file for authentication for this user. What you should do, you should add a user to the system in normal process and just don’t assign a password to that user. User will be locked in /etc/shadow and that will not be a problem for us. Hope you enjoyed the article. If you have any question, feel free to ask. We will try our best to answer them. Advertisements REPORT THIS AD Bookmark the permalink. Blog at WordPress.com. https://99linux.wordpress.com/2013/05/03/ssh-authentication-using-pam-and-radius-in-linux/ 3/4 2022/10/19 SSH Authentication using PAM and RADIUS IN Linux | Support for Ubuntu, CentOS, Redhat, BackTrack Linux Server https://99linux.wordpress.com/2013/05/03/ssh-authentication-using-pam-and-radius-in-linux/ 4/4
