Difference between revisions of "pam radius for ssh guide"

From thelinuxwiki
Jump to: navigation, search
(Created page with "==version info for this guide== gentoo package names and versions: <br>sys-libs/pam version 1.2.1 <br>sys-auth/pam_radius version 1.3.17-r1 <br>net-dialup/freeradius 3.0.14 ...")

Revision as of 13:56, 15 October 2017

version info for this guide

gentoo package names and versions:
sys-libs/pam version 1.2.1
sys-auth/pam_radius version 1.3.17-r1
net-dialup/freeradius 3.0.14

configuring the radius server

1) install freeradius via your distributions package manager 2) define radius client in /etc/raddb/clients.conf
example syntax... 

client NAME {
 ipaddr = IPADDRESS
 secret = SECRET
}

3) Define a User and Password in /etc/raddb/users

I don't like cleartext passwords, so I used an encrypted hash as follows... 

# radcrypt --md5 abc123
$1$orQvjGWz$wkQftz9uR4nmvT5V6vD7.0

where abc123 is an example password

the user jsmith was configured to utilize this password hash by adding a line to /etc/raddb/users 

jsmith Crypt-Password := "$1$orQvjGWz$wkQftz9uR4nmvT5V6vD7.0"

4) start your radius server via your distro's mechanism

for gentoo it is /etc/init.d/radiusd start




Alan DeKok-2 is right. I had the same problem. The issue was that pam does multiple checks when you login. In my case, these are controlled by pam.d/sshd because I am trying to authenticate ssh.

specifically this check... account, which checks for validity of the user account.

from the line that reads... account include system-remote-login

What happens is the system checks to see if the account exists in preauth. Somehow that fails and my password is set to a string including "INCORRECT". When I create the account locally with useradd, then radius auth began succeeding. Next, I will look into a way to get around creating a local account.

pam version...

sys-libs/pam Installed versions: 1.2.1

Retrieved from "http://www.thelinuxwiki.com/index.php?title=pam_radius_for_ssh_guide&oldid=1151"