SSH Authentication using PAM and RADIUS in Linux

SSH is being used for secured remote connectivity in Linux and UNIX for a very long time. It gives strong encrypted tunnel between SSH server and client. On the other hand RADIUS is generally being used for dial-up authentication and act as a central server for multiple NAS (Network Access Server). There are few cases where you may want to use RADIUS for your SSH authentication instead of using your local /etc/shadow file. For example, if you have multiple Linux servers but you want to manage the authentication from central database. Though there are some other mechanism like NIS or LDAP, still RADIUS is a choice for it’s ease of use and some unique features.

In this article we will try to show you how you should configure your Linux System to authenticate SSH session using PAM and RADIUS. We have tested it using CentOS, RedHat, Ubuntu and Slackware, but you can try it with any Linux or UNIX. The command reference is applied to a CentOS console.

Assumption and Prerequisites:

  1. Make sure you have pam, pam-devel, make, gcc packages are installed.
  2. The server we want to use RADIUS based authentication has a hostname “Server1″ with IP a.b.c.10
  3. You have at least one RADIUS server ready to authenticate users. In another article we will try to guide you how to configure and RADIUS server for Linux. For this example we consider RADIUS Servers IP is x.y.z.100.
  4. RADIUS Secret for your server “Server1″ is “W3L0veiSystemAdm1n” and properly configured in RADIUS server (x.y.z.100).

Install radius pam module in client machine

Download Radius Client from ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz  and then follow below instructions:

tar zxf pam_radius-1.3.17.tar.gz
cd pam_radius*
cp pam_radius_auth.so /lib/security

(or /lib64/security if it’s a 64 bit if system)

If your pam library resides in different folder you have to save there instead of /lib/security

Instruct pam-sshd to use RADIUS by changing /etc/pam.d/sshd file

Change the /etc/pam.d/sshd file and instruct the system to use pam_radius_auth.so module to check RADIUS server for authentication and accounting.

auth       sufficient      pam_radius_auth.so debug
auth       include      system-auth
account    sufficient      pam_radius_auth.so debug
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    sufficient      pam_radius_auth.so debug conf=/etc/raddb/server
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

The syntax of this file can be found in pam man pages. Be careful about ‘sufficient’, ‘required’ etc terms. Here we defined, if a user is being authenticated by RADIUS server the system will consider it ‘sufficient’ and will not check with other authentication modules. Be ware that, above example will still allow local authentication.

Add radius secret for pam-sshd in /etc/raddb/server.

Now you’ve seen we used /etc/raddb/server file in PAM configuration file above. This file will be used by our Server1 to identify the RADIUS server and the shared secret between them. If you have more than one RADIUS server you have just add more lines. The 3rd column of each line is an optional parameter to instruct how many seconds it will wait before trying next RADIUS server. The syntax sample:

<radius server ip>       SharedSecret                  WaitSeconds


x.y.z.100    W3L0veiSystemAdm1n                           7

Again don’t forget to use same shared secret for both client and servers.

b)    Restart ssh daemon (sshd)

Now restart ssh daemon to use new sshd for pam file.

#service sshd restart

Now your System is ready to be authenticated using RADIUS. Remember that RADIUS is a plain text protocol, though it uses the shared secret to encrypt the password. Still take necessary measures to protect the communication between RADIUS Server and Client.

Remember that you still require /etc/passwd file (or NIS or similar mechanism) to identify the user to the system. Just you are not using /etc/shadow file for authentication for this user. What you should do, you should add a user to the system in normal process and just don’t assign a password to that user. User will be locked in /etc/shadow and that will not be a problem for us.

Hope you enjoyed the article. If you have any question, feel free to ask. We will try our best to answer them.


Related Posts

  1. How to configure Single Sign On for IIS Using Windows Authentication
  2. Apache Authentication with LDAP
  3. Using PAM for SSH Access Control

About Sifat

Sifat is a veteran System Administrator who still loves to make his hand dirty with text consoles. Sifat has 14 years of Operations and Management experience in IT and telecommunication industries.He has proven record of IT planning, Policy Development, IT Process Management, Cost Control and successful leadership for effective and efficient IT organization. He is effective in reducing Capital and Operation Expense by H/W & Software consolidation and virtualization. Sifat is a certified ITIL and VMWare Professional.
© Copyright 2011-2014 iSystemAdmin.com. All rights reserved. Proudly powered by WordPress.