Linux SSHD authentication to external Radius
I have worked in recent years as a network security engineer. One task I faced was making various network devices authenticate to a central AAA solution. Most of the devices were pretty straight forward with the exception of Linux.
Most network environments I have been exposed to where there is an interest in creating a single sign-on solution have been focusing on getting all their devices to authenticate against Microsoft’s Active Directory or some third party two-factor authentication tool. My work on this little project led me into a hole that none of my local Linux guru friends could dig me out of. While most of this information can be gathered straight from various sources on the Internet, I have yet to find anyone put it all together in a step by step procedure like found in this post. These instructions worked on RedHat enterprise and Fedora while running against a variety of radius servers including Microsoft IAS and SafeWord from Super Computing. The following steps assume that you have a functional radius server in place that can already accept and authenticate user logins from devices like Cisco routers and switches.
HOWTO configure Linux SSH users to authenticate to external Radius
- Log in to the Linux box that needs to authenticate against Radius using root privileges.
- Download ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz using the FTP command
- extract the pam_radius-1.3.17.tar.gz file to a subdirectory of you home directory called /pam_radius-1.3.17
- Switch directories to /pam_radius-1.3.17
- Edit pam_radius_auth.conf to reflect actual Radius server IP, ShareSecret and timeout.
- Execute the “make” command
- Copy file that was created during the make over to /lib/security - cp pam_radius_auth.so /lib/security
- Make a backup of the /etc/pa.d/sshd - cp /etc/pam.d/sshd /etc/pam.d/sshd.BU
- Edit /etc/pam.d/sshd to read as follows: (Note: the client_id in line one is optional and configurable)
#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so debug client_id=linux
auth sufficient pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
- Edit /etc/ssh/sshd_config and add the following line to the bottom of the file:
- Create accounts on the Linux box for all users requiring access to this server via SSH using AAA authentication. Assign a blank password to each account on the Linux box.
- Verify that the IP addresses and shared secret(s) have been added to the AAA server clients configuration for this Linux box.
- Verify that all users requiring access to the Linux box have AAA accounts configured on the radius server.
UsePAM yes
These instructions were compiled from mostly trial and error based on instructions found at FreeRADIUS.org.
Disclaimer: I consider myself to be an intermediate Linux administrator. Please feel free to share links in the comments to more clear and comprehensive solutions for authenticating Linux against and external AAA server if you have them. I would especially like to hear ideas on how to get around the need for matching ids on the Linux server.
Greetings. I’m a big fan of pam_radius as well. I have written a number of how-tos about connecting various apps to pam_radius for two-factor authentication, including apache, ssh, openvpn: http://www.wikidsystems.com/documentation/howtos/. There are more on howtoforge as well:
ssh + two-factor:
http://www.howtoforge.com/secure_ssh_with_wikid_two_factor_authentication
webdav + two-factor:
http://www.howtoforge.com/webdav_with_ssl_and_two_factor_authentication
vnc + nomachine + two-factor:
http://www.howtoforge.com/secure_vnc_remote_access_with_two_factor_authentication
As for the account issue, have
account sufficient /lib/security/pam_radius_auth.so
above the line:
account required pam_stack.so service=system-auth
in your sshd pam file?
September 24th, 2007 | #
Your HOWTO did not work for me and I am using fedora 7 for a client, fedora 7 with freeradius/fedora-ds for the AAA side. I fail to authenticate at all and see nothing in radius.log indicating why. Really sucks to keep running across websites with so-called ’solutions’ to get pam_radius working that really don’t work after all the effort. My AAA server auths Cisco’s fine BTW so this PAM config above is not entirely correct — using the same tarball of pam_radius as well. Guess I will check out some of the other links although I tried following some of the Wikid related docs for the pam_rad piece before.
December 17th, 2007 | #
Are there any errors in /var/log/secure that indicate a problem?
If your Cisco is working, but pam is not, it could be a port issue. Check what port your radius server is listening on. The standard is now 1812, but it seems like Cisco still users 1645 sometimes….
hth,
nick
December 18th, 2007 | #
I hard set my ports used for AAA on the Cisco to 1812 so the port would probably be irrelevant.
What it seems like happens, I can log in as root (not in RADIUS/LDAP) and RADIUS logs that successful login but if I try an LDAP user I get access denied. I see nothing in the /var/log/secure other than that successful root login, nothing hinting at what’s going on with a user in LDAP and why its failing
December 18th, 2007 | #
I haven’t done anything with freeradius -> ldap, but I have been thinking about it. Unfortunately, there is no way I’ll be able to get to it before the end of the year.
December 19th, 2007 | #
Seems I have gotten closer… what happens now is if I login as a valid user in LDAP/RADIUS and on the host I immediately exit, if I try something not in LDAP/RADIUS or in local password file I get access denied. Would seem its either something missing from /etc/raddb/users OR, sshd_config options…I tried Password or CHAP — Password is what yields the immediately exiting on successful login, if CHAP is used I just get a flat out Access denied.
Anything special in /etc/raddb/users OR, sshd_config you can think of I might need to set given those results…so so close to having this work!
December 19th, 2007 | #
Ended up being the pam.d config file for SSH….. not at all as complex as what was listed above and works just fine….for one my distro, Fedora 7, doesn’t have pam_stack.so — the cause of my mysterious exit upon successful login. Once you get past this little fact and just add one single line — instead of the before this and after this stuff one typically sees in a howto you’re golden. You just want the pam_rad before system auth and you should be good.
LESSONS LEARNED — don’t make it too complicated!!!! Just add one line for starters to the very top of you pam file — the one for pam_radius_auth.
Obviously the debug and client_id are not required. As many people as there are using pam_radius I would have thought I’d find some decent docs for most of the big distros but I guess no one has thought of a nice definitive site….
#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so debug client_id=linux
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
December 19th, 2007 | #
Great news and great advice. you really have to add just one element at a tme and test that.
December 20th, 2007 | #
This works great but can you make this work w/o adding a user on the server using AAA auth ? And if it is not possible using radius what else can I use ?
December 30th, 2007 | #
If you set the account line to use radius, you should not need an account on the box.
HTH,
nick
December 31st, 2007 | #