pam radius for ssh guide

From thelinuxwiki
Revision as of 13:56, 15 October 2017 by Nighthawk (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

version info for this guide

gentoo package names and versions:
sys-libs/pam version 1.2.1
sys-auth/pam_radius version 1.3.17-r1
net-dialup/freeradius 3.0.14

configuring the radius server

1) install freeradius via your distributions package manager 2) define radius client in /etc/raddb/clients.conf
example syntax...

client NAME {
 ipaddr = IPADDRESS
 secret = SECRET
}

3) Define a User and Password in /etc/raddb/users

I don't like cleartext passwords, so I used an encrypted hash as follows...

# radcrypt --md5 abc123
$1$orQvjGWz$wkQftz9uR4nmvT5V6vD7.0

where abc123 is an example password

the user jsmith was configured to utilize this password hash by adding a line to /etc/raddb/users

jsmith Crypt-Password := "$1$orQvjGWz$wkQftz9uR4nmvT5V6vD7.0"

4) start your radius server via your distro's mechanism

for gentoo it is /etc/init.d/radiusd start




Alan DeKok-2 is right. I had the same problem. The issue was that pam does multiple checks when you login. In my case, these are controlled by pam.d/sshd because I am trying to authenticate ssh.

specifically this check... account, which checks for validity of the user account.

from the line that reads... account include system-remote-login

What happens is the system checks to see if the account exists in preauth. Somehow that fails and my password is set to a string including "INCORRECT". When I create the account locally with useradd, then radius auth began succeeding. Next, I will look into a way to get around creating a local account.

pam version...

sys-libs/pam Installed versions: 1.2.1