SSH is being used for secured remote connectivity in Linux and UNIX for a very long time. It gives strong encrypted tunnel between SSH server and client. On the other hand RADIUS is generally being used for dial-up authentication and act as a central server for multiple NAS (Network Access Server). There are few cases where you may want to use RADIUS for your SSH authentication instead of using your local /etc/shadow file. For example, if you have multiple Linux servers but you want to manage the authentication from central database. Though there are some other mechanism like NIS or LDAP, still RADIUS is a choice for it’s ease of use and some unique features.
In this article we will try to show you how you should configure your Linux System to authenticate SSH session using PAM and RADIUS. We have tested it using, , Ubuntu and , but you can try it with any Linux or UNIX. The command reference is applied to a CentOS console.
Assumption and Prerequisites:
- Make sure you have pam, pam-devel, make, gcc packages are installed.
- The server we want to use RADIUS based authentication has a hostname “Server1″ with IP a.b.c.10
- You have at least one RADIUS server ready to authenticate users. In another article we will try to guide you how to configure and RADIUS server for Linux. For this example we consider RADIUS Servers IP is x.y.z.100.
- RADIUS Secret for your server “Server1″ is “W3L0veiSystemAdm1n” and properly configured in RADIUS server (x.y.z.100).
Install radius pam module in client machine
Download Radius Client from ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz and then follow below instructions:
tar zxf pam_radius-1.3.17.tar.gz cd pam_radius* make cp pam_radius_auth.so /lib/security
(or /lib64/security if it’s a 64 bit if system)
If your pam library resides in different folder you have to save there instead of /lib/security
Instruct pam-sshd to use RADIUS by changing /etc/pam.d/sshd file
Change the /etc/pam.d/sshd file and instruct the system to use pam_radius_auth.so module to check RADIUS server for authentication and accounting.
auth sufficient pam_radius_auth.so debug auth include system-auth account sufficient pam_radius_auth.so debug account required pam_nologin.so account include system-auth password include system-auth session sufficient pam_radius_auth.so debug conf=/etc/raddb/server session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
The syntax of this file can be found in pam man pages. Be careful about ‘sufficient’, ‘required’ etc terms. Here we defined, if a user is being authenticated by RADIUS server the system will consider it ‘sufficient’ and will not check with other authentication modules. Be ware that, above example will still allow local authentication.
Add radius secret for pam-sshd in /etc/raddb/server.
Now you’ve seen we used /etc/raddb/server file in PAM configuration file above. This file will be used by our Server1 to identify the RADIUS server and the shared secret between them. If you have more than one RADIUS server you have just add more lines. The 3rd column of each line is an optional parameter to instruct how many seconds it will wait before trying next RADIUS server. The syntax sample:
<radius server ip> SharedSecret WaitSeconds
x.y.z.100 W3L0veiSystemAdm1n 7
Again don’t forget to use same shared secret for both client and servers.
b) Restart ssh daemon (sshd)
Now restart ssh daemon to use new sshd for pam file.
#service sshd restart
Now your System is ready to be authenticated using RADIUS. Remember that RADIUS is a plain text protocol, though it uses the shared secret to encrypt the password. Still take necessary measures to protect the communication between RADIUS Server and Client.
Remember that you still require /etc/passwd file (or NIS or similar mechanism) to identify the user to the system. Just you are not using /etc/shadow file for authentication for this user. What you should do, you should add a user to the system in normal process and just don’t assign a password to that user. User will be locked in /etc/shadow and that will not be a problem for us.
Hope you enjoyed the article. If you have any question, feel free to ask. We will try our best to answer them.