pam radius for ssh guide
version info for this guide
gentoo package names and versions:
sys-libs/pam version 1.2.1
sys-auth/pam_radius version 1.3.17-r1
net-dialup/freeradius 3.0.14
configuring the radius server
1) install freeradius via your distributions package manager
2) define radius client in /etc/raddb/clients.conf
example syntax...
client NAME { ipaddr = IPADDRESS secret = SECRET }
3) Define a User and Password in /etc/raddb/users
I don't like cleartext passwords, so I used an encrypted hash as follows...
# radcrypt --md5 abc123 $1$orQvjGWz$wkQftz9uR4nmvT5V6vD7.0
where abc123 is an example password
the user jsmith was configured to utilize this password hash by adding a line to /etc/raddb/users
jsmith Crypt-Password := "$1$orQvjGWz$wkQftz9uR4nmvT5V6vD7.0"
4) start your radius server via your distro's mechanism
for gentoo it is /etc/init.d/radiusd start
Alan DeKok-2 is right. I had the same problem. The issue was that pam does multiple checks when you login. In my case, these are controlled by pam.d/sshd because I am trying to authenticate ssh.
specifically this check... account, which checks for validity of the user account.
from the line that reads... account include system-remote-login
What happens is the system checks to see if the account exists in preauth. Somehow that fails and my password is set to a string including "INCORRECT". When I create the account locally with useradd, then radius auth began succeeding. Next, I will look into a way to get around creating a local account.
pam version...
sys-libs/pam Installed versions: 1.2.1