PAM with Radius Authentication


PAM Radius Module allows any PAM-capable machine to become a RADIUS client for authentication and accounting requests. The actual authentication will be performed by a RADIUS server. The freeradius can be used for radius server.

PAM

Download the PAM Radius Module

To download the PAM Radius module, click here.

Installing & configuring PAM Radius Module

To install PAM radius module, give the following commands:

[root@rahul-pc]# tar -xvf pam_radius-1.3.17.tar.gz

[root@rahul-pc]# cd pam_radius-1.3.17

[root@rahul-pc]# make

It will generate a library file pam_radius_login.so. Copy that file to /lib/security/ directory.

[root@rahul-pc]# cp pam_radius_login.so /lib/security/

Create a directory /etc/raddb/. Copy the file pam_radius_auth.conf to /etc/raddb/ directory named as server.

[root@rahul-pc]# mkdir /etc/raddb/

[root@rahul-pc]# cp pam_radius_auth.conf /etc/raddb/server

Change the file /etc/raddb/server according to your configuration.

# Radius Server IP address           Secret                                   Timeout

192.168.2.43                                       yoursecret                          3

Configure PAM Applications for Radius Server

After doing the above configurations, edit the PAM application’s files to authenticate from radius server.

SSH server configuration

To authenticate the SSH server request from radius server, edit the file /etc/pam.d/sshd.  Add a new line

auth                       sufficient                             pam_radius_auth.so

above the following line

auth                       include                                 system-auth

After changing the PAM file, the authentication request for SSH server will go to the configured radius server (192.168.2.43 in our example) first. If the request is not accepted from radius server, then it will check the system-authentication.

Password change configuration

Similarly, to change the password of any SSH user, change the file /etc/pam.d/passwd. Add a new line

password                            sufficient                             pam_radius_auth.so

above the following line

password                            include                 system-auth

After this password change request will go to the radius server.

FTP Server Configuration

Similarly do the above changes for vsftpd file in /etc/pam.d/ directory. Then the entire authentication request for FTP server will go to radius server.

In the same way do the changes for other required applications.

PAM with Radius Authentication.

5 thoughts on “PAM with Radius Authentication

  1. Generally I do not read post on blogs, however I wish to say that this write-up very forced me to take a look at and do it! Your writing taste has been amazed me. Thanks, quite nice post.

  2. Does this require a home directory for each user to reside on the physical SSH server? I am hoping to find a solution that will allow SSH authentication via radius with just the username/password credentials stored in radius and not have to create a home directory for each user. Also, does the user need to exist in etc/passwd ? Nice article.

  3. Does this method require a local user account on the SSH server itself or does it rely completely on the user account information that resides on the Radius server? I see other posts that mention a requirement to have a local account (i.e. home directory and/or listed in etc/passwd). I am hoping your post shows a method that does not require anything local on the SSH server itself. Nice article!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s