Difference between revisions of "pam radius for ssh guide"
(Created page with "==version info for this guide== gentoo package names and versions: <br>sys-libs/pam version 1.2.1 <br>sys-auth/pam_radius version 1.3.17-r1 <br>net-dialup/freeradius 3.0.14 ...") |
|||
| Line 5: | Line 5: | ||
<br>net-dialup/freeradius 3.0.14 | <br>net-dialup/freeradius 3.0.14 | ||
| − | ==configuring the radius server== | + | ==configuring the radius server(freeradius)== |
1) install freeradius via your distributions package manager | 1) install freeradius via your distributions package manager | ||
2) define radius client in /etc/raddb/clients.conf | 2) define radius client in /etc/raddb/clients.conf | ||
| Line 29: | Line 29: | ||
for gentoo it is /etc/init.d/radiusd start | for gentoo it is /etc/init.d/radiusd start | ||
| + | ==configure the radius client== | ||
| + | we will reconfigure pam to use the pam_radius module for sshd authentication | ||
| + | 1) install the pam_radius module for your distro | ||
| + | 2) configure pam to use radius module by editing /etc/pamd.d/sshd file | ||
| + | add a line as that reads... | ||
| + | auth sufficient pam_radius_auth.so | ||
| + | my example file reads(after editing)... | ||
| + | auth sufficient pam_radius_auth.so | ||
| + | <br>auth include system-remote-login | ||
| + | <br>account include system-remote-login | ||
| + | <br>password include system-remote-login | ||
| + | <br>session include system-remote-login | ||
| + | |||
| + | then restart sshd | ||
| + | |||
| + | This configuration example is a work in progress. It required the user account to exist locally. The account line above requires it. It also allows you to still login with local credentials. | ||
| + | |||
| + | |||
| + | for more info on how the pam configuration files work, read the [https://linux.die.net/man/8/pam pam manpage] | ||
| + | |||
| + | ==troubleshooting== | ||
Alan DeKok-2 is right. I had the same problem. The issue was that pam does multiple checks when you login. In my case, these are controlled by pam.d/sshd because I am trying to authenticate ssh. | Alan DeKok-2 is right. I had the same problem. The issue was that pam does multiple checks when you login. In my case, these are controlled by pam.d/sshd because I am trying to authenticate ssh. | ||
| Line 47: | Line 68: | ||
sys-libs/pam Installed versions: 1.2.1 | sys-libs/pam Installed versions: 1.2.1 | ||
| + | |||
| + | ==links== | ||
| + | [http://www.dslreports.com/forum/r26973260-FreeRADIUS-encrypted-passwords] | ||
| + | [http://wiki.freeradius.org/guide/Basic-configuration-HOWTO] | ||
| + | [https://99linux.wordpress.com/2013/05/03/ssh-authentication-using-pam-and-radius-in-linux/] | ||
Revision as of 14:13, 15 October 2017
Contents |
version info for this guide
gentoo package names and versions:
sys-libs/pam version 1.2.1
sys-auth/pam_radius version 1.3.17-r1
net-dialup/freeradius 3.0.14
configuring the radius server(freeradius)
1) install freeradius via your distributions package manager
2) define radius client in /etc/raddb/clients.conf
example syntax...
client NAME {
ipaddr = IPADDRESS
secret = SECRET
}
3) Define a User and Password in /etc/raddb/users
I don't like cleartext passwords, so I used an encrypted hash as follows...
# radcrypt --md5 abc123 $1$orQvjGWz$wkQftz9uR4nmvT5V6vD7.0
where abc123 is an example password
the user jsmith was configured to utilize this password hash by adding a line to /etc/raddb/users
jsmith Crypt-Password := "$1$orQvjGWz$wkQftz9uR4nmvT5V6vD7.0"
4) start your radius server via your distro's mechanism
for gentoo it is /etc/init.d/radiusd start
configure the radius client
we will reconfigure pam to use the pam_radius module for sshd authentication
1) install the pam_radius module for your distro 2) configure pam to use radius module by editing /etc/pamd.d/sshd file
add a line as that reads...
auth sufficient pam_radius_auth.so
my example file reads(after editing)...
auth sufficient pam_radius_auth.so
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login
then restart sshd
This configuration example is a work in progress. It required the user account to exist locally. The account line above requires it. It also allows you to still login with local credentials.
for more info on how the pam configuration files work, read the pam manpage
troubleshooting
Alan DeKok-2 is right. I had the same problem. The issue was that pam does multiple checks when you login. In my case, these are controlled by pam.d/sshd because I am trying to authenticate ssh.
specifically this check... account, which checks for validity of the user account.
from the line that reads... account include system-remote-login
What happens is the system checks to see if the account exists in preauth. Somehow that fails and my password is set to a string including "INCORRECT". When I create the account locally with useradd, then radius auth began succeeding. Next, I will look into a way to get around creating a local account.
pam version...
sys-libs/pam Installed versions: 1.2.1
