Linux SSHD authentication to external Radius
I have worked in recent years as a network security engineer. One task I faced was making various network devices authenticate to a central AAA solution. Most of the devices were pretty straight forward with the exception of Linux.
Most network environments I have been exposed to where there is an interest in creating a single sign-on solution have been focusing on getting all their devices to authenticate against Microsoft’s Active Directory or some third party two-factor authentication tool. My work on this little project led me into a hole that none of my local Linux guru friends could dig me out of. While most of this information can be gathered straight from various sources on the Internet, I have yet to find anyone put it all together in a step by step procedure like found in this post. These instructions worked on RedHat enterprise and Fedora while running against a variety of radius servers including Microsoft IAS and SafeWord from Super Computing. The following steps assume that you have a functional radius server in place that can already accept and authenticate user logins from devices like Cisco routers and switches.
HOWTO configure Linux SSH users to authenticate to external Radius
- Log in to the Linux box that needs to authenticate against Radius using root privileges.
- Download ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz using the FTP command
- extract the pam_radius-1.3.17.tar.gz file to a subdirectory of you home directory called /pam_radius-1.3.17
- Switch directories to /pam_radius-1.3.17
- Edit pam_radius_auth.conf to reflect actual Radius server IP, ShareSecret and timeout.
- Execute the “make” command
- Copy file that was created during the make over to /lib/security – cp pam_radius_auth.so /lib/security
- Make a backup of the /etc/pa.d/sshd – cp /etc/pam.d/sshd /etc/pam.d/sshd.BU
- Edit /etc/pam.d/sshd to read as follows: (Note: the client_id in line one is optional and configurable)
#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so debug client_id=linux
auth sufficient pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
- Edit /etc/ssh/sshd_config and add the following line to the bottom of the file:
- Create accounts on the Linux box for all users requiring access to this server via SSH using AAA authentication. Assign a blank password to each account on the Linux box.
- Verify that the IP addresses and shared secret(s) have been added to the AAA server clients configuration for this Linux box.
- Verify that all users requiring access to the Linux box have AAA accounts configured on the radius server.
UsePAM yes
These instructions were compiled from mostly trial and error based on instructions found at FreeRADIUS.org.
Disclaimer: I consider myself to be an intermediate Linux administrator. Please feel free to share links in the comments to more clear and comprehensive solutions for authenticating Linux against and external AAA server if you have them. I would especially like to hear ideas on how to get around the need for matching ids on the Linux server.
