Configure Radius Authentication for SSH login Centos 5.* Linux

Submitted by guvnor on Mon, 01/12/2009 - 11:27

Contents

Introduction
Preparation
1. Install the correct development tools
2. Download the pam Radius source files.
Configure the Centos Server to use radius Authentication
Configure your Steel Belted Radius Server
1. Add a username on the radius box "turbo"
Test a Logon to the Centos SSH service

Introduction

Using the plug-in modular nature of PAM we can get a linux server to use RADIUS to authenticate users connecting via SSH. This guide tells you how to setup a Centos 5.2 server as your Radius "client" and Juniper Steel-Belted as your radius server authentication "server". We are going to use the pam_radius_module from free radius to provide the mechanism of authenticating ssh logins against a radius box. For this example my environment consists of A centos 5.2 radius client called "cyclone" A Steel-Belted Radius server is called "turbo" A username of dave Of course you will change these silly names to the hostnames or ip addresses that suit your own setup.

Preparation

We have to to build a radius client module for our centos linux server so some preperation is required on this box to enable us to do that. It isn't as complex as it sounds.

Install the correct development tools

Since the pam_radius_auth security module is not available in mighty yum repository we have to make this ourselves using the source files. To do this we need the correct C compiler this can be installed via yum using the following command yum install gcc-c++ After a little while the C compiler will be installed an ready for use. The next requirement is the pam development module. This is also installed via yum with this command: yum install pam-devel

Download the pam Radius source files.

You need to download the radius pam module here ftp://ftp.freeradius.org/pub/radius/ Choose the file pam_radius-1.3.17.tar.gz This is done easily via the wget command. So from the centos machine run wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz download this to a temporary folder where you can build the software from I chose a directory called pam under my root users home directory

/root/pam

Once the file is downloaded unzip the file with gunzip using the command gunzip /root/pam/pam_radius-1.3.17.tar.gz <return> untar the file using the command

tar -xvf /root/pam/pam_radius-1.3.17.tar <return><code>
 
this should then upack the contents into a directory structure like this 
 
<code>/root/pam/pam_radius-1.3.17

change to this directory and type

make <return>

the system should then compile with something like the following output:

cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o
pam_radius_auth.c: In function Ã¢talk_radiusÃ¢:
pam_radius_auth.c:886: warning: pointer targets in passing argument 6 of Ã¢recvfromÃ¢ differ in signedness
pam_radius_auth.c: In function Ã¢pam_sm_authenticateÃ¢:
pam_radius_auth.c:1102: warning: assignment from incompatible pointer type
cc -Wall -fPIC   -c -o md5.o md5.c
ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so

this should create a file called pam_radius_auth.so copy this to the /lib/security/ folder.

Configure the Centos Server to use radius Authentication

Create a user you wish to login as, on the centos system. I am creating one called "dave" for this example.

<span style="color:red">useradd -d /home/dave/ dave </span>

NOTE: There is no reason to set a password to this unix user as you will be using your radius account to provide the password.

Create the radius client configuration file folder structure.

Create a directory under the /etc folder called raddb. So you have a directory path which looks like /etc/raddb This is done like so

mkdir /etc/raddb <return>
<code>
 
<h3>. Copy the sample client configuration file pam_radius_auth.conf to /etc/raddb/server</h3>
This sample file is found in the unarchived folder you downloaded earlier - in my example so I would run:
<code>
cp /root/pam/pam_radius-1.3.17/pam_radius_auth.conf /etc/raddb/server
<return>

Edit the /etc/raddb/server to match the radius server "turbo".

open the /etc/raddb/server in an editor such as vi Under the section that looks like:

# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
other-server    other-secret       3

Add a line that represents your radius server. You will need to enter your servers hostname or IP address and a sharesecret that you will need to assign in this file and on your radius server. So make a note of this password. I am going to add my radius server "turbo" and specify a shared secret of "s3cret". So after editing my file looks like this

# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
turbo           s3cret             3

Now edit the /etc/pam.d/sshd file. This file controls the authentication method for sshd service which facilitates SSH logins. We need to tell it to use the /lib/security/pam_radius_auth.so file we created compiled earlier. Before the top line

auth       include      system-auth

add this line

auth       required     pam_radius_auth.so

so the first two lines will look like this

auth sufficient pam_radius_auth.so
auth       include      system-auth

This will tell the SSH service / daemon to use the radius protocol and server for authentication. With this configuration the SSHD will also check local system sccount passwords as a fall back. This means you can log in as root or other unix local accounts should your radius server be off line. NOTE! You are changing the authentication method for logging in to your centos box via SSH. Make sure you can get into it via console (monitor mouse and keyboard) in case this goes wrong and you get locked out of SSH

Configure your Steel Belted Radius Server

Setup Cyclone as a radius client Right "Click Radius Clients" Click ADD In the Add RADIUS client window add the IP address or hostname of the centos cyclone box and add the shared secret we decided on earlier in this example "s3cret"

Add a username on the radius box "turbo"

Right Click "users" Click Add

Add a native user and set a password.

Test a Logon to the Centos SSH service

Fire up your SSH client Connect to the box and login as the user and password you set on radius server earlier. In my case "dave" If it lets you voila - job done. You have used the radius server to provide SSH authentication. If it doesn't then you might start by looking in the /var/log/secure/file for clues. Also the centos forum is pretty good I often find some helpful people on there - if you are really desperate you can leave a comment here! :)

Add new comment

Sudo ?

Submitted by Anonymous on Wed, 05/05/2010 - 20:35.

Any thoughts on how to extend this to sudo? I've been able to get ssh authentication working, but using the same syntax with /etc/pam.d/sudo doesn't seem to work in the same way.

Sudo ?

Submitted by Anonymous on Wed, 09/08/2010 - 14:18.

I have it working on RHEL 5.2. All you have to do is put the same line at the top of the sudo file in the pam.d directory. One comment on the instructions. If you are running x86_64 you need to copy the file to /lib64/security/ not /lib/security Greg

Thanks Greg thats useful info

Submitted by Anonymous on Fri, 09/10/2010 - 08:34.

Cheers

pam_radius package in Fedora

Submitted by Anonymous on Tue, 03/02/2010 - 20:23.

I've been working to get pam_radius into Fedora and eventually EPEL (hopefully someday RHEL). You'll find it in the Fedora mirrors under the updates section presently (the original bugzilla for the review is #555843). If anyone finds bugs with the code or packaging, please do report them. We're hoping to get a standard packaged setup that is bug-free out of this.

cool!!

Submitted by guvnor on Thu, 03/04/2010 - 17:49.

That would be great . Okay readers rememeber where you heard it first :)

I'm about to try and

Submitted by Anonymous on Fri, 01/29/2010 - 14:25.

I'm about to try and authethenticate some Linux servers with our Steel Belt Radius box so I shall try this out! I'm also a bit confused as to why you would have to create a user account on the client device for the authentication to work... you certainly don't on something like NIS. If this is really true, we'd have to try direct AD authentication instead. John

great article

Submitted by Anonymous on Thu, 08/27/2009 - 14:29.

thankyou very useful for me now i can use my IAS radius users for my redhat boxes.

Thanks much!

Submitted by Anonymous on Wed, 08/12/2009 - 19:07.

Great article! This saved me a ton of effort and worked wonderfully!

Thank you

Submitted by guvnor on Wed, 07/29/2009 - 10:17.

Thanks Mohamed, Hello, Kind of you to leave a positive comment. Please feel free to ask any questions, I am not a expert but if I can help you out I will. I will also check out your suggestions - I agree it is strange having a local and and a Radius account.

Thanks

Submitted by Anonymous on Fri, 07/17/2009 - 20:57.

what a great article, it saved me lots of time, thanks. but would like to mention that the auth include system-auth line should be removed for radius authentication to work. also if i have to create a local user on the system so what's the use of radius ? it should be centralised aaa system, i know that is needed for ssh and system services and it is not a need by radius, but just thinking :) . i need some help to implement an AAA solution in my company, if you can help, plz contact me " mohamed hagag 1981 / gmail . com " without spaces ;). Mohamed M. Hagag Thanks & Best Regards

GREAT THANKS!

Submitted by Anonymous on Wed, 12/23/2009 - 10:54.

GREAT THANKS! That is work at RHEL5 also! Alexey Payalov.

Techietips.net