PAM with Radius Authentication


PAM Radius Module allows any PAM-capable machine to become a RADIUS client for authentication and accounting requests. The actual authentication will be performed by a RADIUS server. The freeradius can be used for radius server.

PAM

Download the PAM Radius Module

To download the PAM Radius module, click here.

Installing & configuring PAM Radius Module

To install PAM radius module, give the following commands:

[root@rahul-pc]# tar -xvf pam_radius-1.3.17.tar.gz

[root@rahul-pc]# cd pam_radius-1.3.17

[root@rahul-pc]# make

It will generate a library file pam_radius_login.so. Copy that file to /lib/security/ directory.

[root@rahul-pc]# cp pam_radius_login.so /lib/security/

Create a directory /etc/raddb/. Copy the file pam_radius_auth.conf to /etc/raddb/ directory named as server.

[root@rahul-pc]# mkdir /etc/raddb/

[root@rahul-pc]# cp pam_radius_auth.conf /etc/raddb/server

Change the file /etc/raddb/server according to your configuration.

# Radius Server IP address           Secret                                   Timeout

192.168.2.43                                       yoursecret                          3

Configure PAM Applications for Radius Server

After doing the above configurations, edit the PAM application’s files to authenticate from radius server.

SSH server configuration

To authenticate the SSH server request from radius server, edit the file /etc/pam.d/sshd.  Add a new line

auth                       sufficient                             pam_radius_auth.so

above the following line

auth                       include                                 system-auth

After changing the PAM file, the authentication request for SSH server will go to the configured radius server (192.168.2.43 in our example) first. If the request is not accepted from radius server, then it will check the system-authentication.

Password change configuration

Similarly, to change the password of any SSH user, change the file /etc/pam.d/passwd. Add a new line

password                            sufficient                             pam_radius_auth.so

above the following line

password                            include                 system-auth

After this password change request will go to the radius server.

FTP Server Configuration

Similarly do the above changes for vsftpd file in /etc/pam.d/ directory. Then the entire authentication request for FTP server will go to radius server.

In the same way do the changes for other required applications.

Advertisement

11 thoughts on “PAM with Radius Authentication

  1. Pingback: PAM with Radius Authentication « Linux Explore

  3. Pingback: PAM with Radius Authentication | Linux Explore

  4. Pingback: PAM with Radius Authentication | Linux Explore

    • That is required only if you have to generate Makefile as per the development environment. You can do if its required in your development system, if its available with the source. You can also create your own configure file if you need.

      Reply

  9. Hello Raul,
    is this possible configure the password/system-auth to 1st FA, and radius as 2FA?
    I think is worthy if system-auth check credentials first, and after that and only if system-auth was succesfull, radius.
    Thank you and regards.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s