pam radius for ssh guide

From thelinuxwiki
Revision as of 14:41, 15 October 2017 by Nighthawk (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Contents

version info for this guide

gentoo package names and versions:
sys-libs/pam version 1.2.1
sys-auth/pam_radius version 1.3.17-r1
net-dialup/freeradius 3.0.14

configuring the radius server(freeradius)

1) install freeradius via your distributions package manager 2) define radius client in /etc/raddb/clients.conf
example syntax...

client NAME {
 ipaddr = IPADDRESS
 secret = SECRET
}

3) Define a User and Password in /etc/raddb/users

I don't like cleartext passwords, so I used an encrypted hash as follows...

# radcrypt --md5 abc123
$1$orQvjGWz$wkQftz9uR4nmvT5V6vD7.0

where abc123 is an example password

the user jsmith was configured to utilize this password hash by adding a line to /etc/raddb/users

jsmith Crypt-Password := "$1$orQvjGWz$wkQftz9uR4nmvT5V6vD7.0"

4) start your radius server via your distro's mechanism

for gentoo it is /etc/init.d/radiusd start

configure the radius client

we will reconfigure pam to use the pam_radius module for sshd authentication

1) install the pam_radius module for your distro
2) configure pam to use radius module by editing /etc/pamd.d/sshd file

add a line as that reads...

auth    sufficient      pam_radius_auth.so

my example file reads(after editing)...

auth sufficient pam_radius_auth.so
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login

then restart sshd

This configuration example is a work in progress. It required the user account to exist locally. The account line above requires it. It also allows you to still login with local credentials.

for more info on how the pam configuration files work, read the pam manpage

3) configure the pam_radious module to use your radius server

edit /etc/raddb/server and add a line per the format...

server[:port] secret [timeout]

where :port and timeout are optional. the default port(1812) is determined by /etc/services and the default timeout is 3 seconds.

example:

192.168.1.20 testing123 3

test

ssh to your pam_radius client device using an account (that exists locally) using the radius password.

troubleshooting

work in progress...

links

Basic configuration HOWTO
http://www.dslreports.com/forum/r26973260-FreeRADIUS-encrypted-passwords
https://99linux.wordpress.com/2013/05/03/ssh-authentication-using-pam-and-radius-in-linux