PAM RADIUS installation and configuration guide

Updated April 28. 2020

Use this guide to configure the SecureAuth Identity Platform appliance as a RADIUS server to allow multi-factor authentication (MFA) for SSH clients into a Linux or Unix estate.

Multiple forms of MFA options are supported, including one-time passcode (OTP), time-based one-time passcode (TOTP), and push methods.

The SecureAuth Identity Platform RADIUS server can authenticate requests from any RADIUS client, enabling strong, secure authentication into virtual private networks (VPNs), Linux or Unix servers, or any compliant RADIUS client.

With SecureAuth's RADIUS Server v2.0+, the following authentication methods are available for use:

  • SMS / Text Message OTP

  • Phone (Voice) OTP

  • Email OTP

  • Push Notification OTP

  • Push-to-Accept Login Request

  • PIN

Note

PAM RADIUS is free software, and SecureAuth does not take responsibility for its support.

Prerequisites

  • Install a SeureAuth RADIUS server

  • Have a Linux or Unix server and Linux or RADIUS experience

  • Have a user enrolled for OTP authentication (provisioned in SecureAuth998) stored in an enterprise directory

  • Have a user with an equivalent username (as in enterprise directory) stored on a Linux machine

  • Have secure shell daemon (SSHD) running and connectivity tested from a suitable SSH client

  • Download FreeRADIUS to the target Linux or Unix platform

Tip

Download the current version of FreeRADIUS. This creates PAM RADIUS modules and requires the GNU Compiler Collection (GCC).

Installation and configuration steps

The following instructions are for the following Linux or Unix platforms: RedHat/CentOS, Ubuntu, and AIX.

vim and vi are interchangeable for this installation and configuration of PAM RADIUS on the SecureAuth Identity Platform appliance.

  1. $ sudo yum install gcc pam pam-devel make -y

  2. $ sudo wget ftp://ftp.freeradius.org/pub/radius/pam_radius-x.x.x.tar.gz

    $ sudo tar xvzf pam_radius-x.x.x.tar.gz

    $ cd pam_radius-x.x.x

    $ sudo ./configure

    $ sudo make

  3. 32-bit: $ cp pam_radius_auth.so /lib/security/

    64-bit: $ cp pam_radius_auth.so /lib64/security/

  4. $ sudo vim /etc/ssh/sshd_config

    Edit to ensure that ChallengeResponseAuthentication yes is enabled and does not include a hash tag ( # ), as follows:

    ChallengeResponseAuthentication yes

    #ChallengeResponseAuthentication no

    Edit to ensure that UsePAM yes is enabled and does not include a hash tag ( # ), as follows:

    #UsePAM no

    UsePAM yes

  5. $ sudo vim /etc/pam.d/sshd

    The edit should look like the following:

    auth

    required

    pam_sepermit.so

    auth

    required

    pam_radius_auth.so

    #auth

    substack

    password-auth

    auth

    include

    password-auth

    When completed, the following line is added: auth required pam_radius_auth.so

    Because of updated se_linux kernels, a hash tag ( # ) must be added if auth substack password-auth is present.

  6. $ sudo mkdir /etc/raddb

  7. $ sudo vim /etc/raddb/server

    Add the RADIUS server hostname or IP address:

    #Server

    Secret

    Timeout

    IP/FQDN

    MySecret

    60

    where:

    • The IP Address / FQDN is that of the SecureAuth Identity Platform appliance.

    • MySecret is the shared secret used in the appliance.radius.properties file on the SecureAuth Identity Platform appliance, under the SA RADIUS Configuration Folder.

    • 60 is the number of seconds for communication between the servers.

Option: Configure sudo to use PAM RADIUS

Edit this file to let the same SSH prompt invoked by the end user for two-factor authentication execute the sudo command:

$ sudo vim /etc/pam.d/sudo

Replace the first code line with the second code line:

auth    include     system-auth

auth    required    pam_radius_auth.so

Option A for step 5

Use this option for scripts running machine-to-machine that cannot process two-factor authentication.

$ sudo vim /etc/pam.d/sshd

The edit should look like the following:

auth    required    pam_sepermit.so

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf

auth    sufficient  pam_radius_auth.so

auth    include     password-auth

When completed, the following lines are added: auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf and auth sufficient pam_radius_auth.so

Option B for step 5

If using the PAM module on CentOS running on Windows Server 2012 R2, make the following edits to enable access to SecureAuth IdP and local users:

auth    required    pam_sepermit.so

auth [success=1 default=ignore] pam_succeed_if.so user ingroup LOCALGROUP

auth    sufficient  pam_radius_auth.so

auth    sufficient  pam_unix.so

When completed, the following lines are added: auth [success=1 default=ignore] pam_succeed_if.so user ingroup LOCALGROUPauth sufficient pam_radius_auth.so, and auth sufficient pam_unix.so.

$ sudo vim /etc/security/access-local.conf

Add the following code:

# List of IP's or ranges to bypass 2FA

+ : ALL : IP or IP range to bypass 2FA

+ : ALL : LOCAL

- : ALL : ALL

vim and vi are interchangeable for this installation and configuration of PAM RADIUS on the SecureAuth Identity Platform appliance, and also assume that ssh is installed and configured on the Linux server before this installation and configuration.

  1. $ sudo apt-get install libpam-radius-auth libpam0g-dev gcc

  2. $ sudo vi /etc/ssh/sshd_config

    Edit to ensure that ChallengeResponseAuthentication yes is enabled and does not include a hash tag ( # ), as follows:

    ChallengeResponseAuthentication yes

    #ChallengeResponseAuthentication no

    Edit to ensure that UsePAM yes is enabled and does not include a hash tag ( # ), as follows:

    #UsePAM no

    UsePAM yes

  3. $ sudo vi /etc/pam.d/sshd

    At the beginning of the file, add the following line:

    auth      sufficient       pam_radius_auth.so

  4. $ sudo vi /etc/pam_radius_auth.conf

    Add the RADIUS server hostname or IP address:

    #server[:port]

    shared_secret

    timeout (s)

    IP/FQDN

    MySecret

    60

    where:

    • The IP Address / FQDN is that of the SecureAuth Identity Platform appliance.

    • MySecret is the shared secret used in the appliance.radius.properties file on the SecureAuth Identity Platform appliance, under the SA RADIUS Configuration Folder.

    • 60 is the number of seconds for communication between the servers.

  5. $ sudo mkdir /etc/raddb

    $ sudo cp /etc/pam_radius_auth.conf /etc/raddb/server

  6. Restart the SSHD service.

    $ sudo service ssh restart

The following steps give general setup guidance; refer to your PAM RADIUS documentation for specific setup instructions.

  1. Download and install the server configuration dependencies.

    1. Download the following 22 dependencies for pam_radius in a /tmp directory.

      gcc

      gcc-c++

      gcc-cpp

      gettext

      gmp

      gmp-devel

      info

      libcommon

      libcommon-devel

      libgcc

      libmpc

      libisgsegv

      libsigsegv-devel

      libstdc++

      libstdc++-devel

      lzlib

      lzlib-devel

      m4

      mpfr

      mpfr-devel

      zlib

      zlib-devel

    2. Change directory with the cd /tmp command.

    3. Log in in as user root.

    4. Use the rpm command to install the packages.

      The following is an example:

      $ cd /tmp

      $ rpm -Uvh gcc-4.8.3-1.aix7.1.ppc.rpm gcc-c++-4.8.3-1.aix7.1.ppc.rpm gettext-0.10.40-8.aix5.2.ppc.rpm gmp-6.0.0a-1.aix5.1.ppc.rpm gmp-devel-6.0.0a-1. aix5.1.ppc.rpm info-5.1-2.aix5.1.ppc.rpm libcommon-0.97.3-1.aix5.1.ppc.rpm libcommon-devel-0.97.3-1.aix5.1.ppc.rpm libgcc-4.8.3-1.aix7.1.ppc.rpm ibmpc-1.0.3-1.aix5.1.ppc.rpm libstdc++-4.8.3-1.aix7.1.ppc.rpm libstdc++-devel-4.8.3-1.aix7.1.ppc.rpm m4-1.4.17-1.aix5.1.ppc.rpm gcc-cpp-4.8.3-1.aix7.1. ppc.rpm libsigsegv-2.10-1.aix5.2.ppc.rpm libsigsegv-devel-2.10-1.aix5.2.ppc.rpm lzlib-1.6-1.aix5.1.ppc.rpm lzlib-devel-1.6-1.aix5.1.ppc.rpm mpfr-3.1.3-1. aix5.1.ppc.rpm mpfr-devel-3.1.3-1.aix5.1.ppc.rpm zlib-1.2.4-2.aix5.1.ppc.rpm zlib-devel-1.2.4-2.aix5.1.ppc.rpm

  2. Download AIX pam_radius-1.4.0.

    1. In a web browser, access the following link to download pam_radius-1.4.0:

      http://ftp.cc.uoc.gr/mirrors/ftp.freeradius.org/

    2. Select pam_radius-1.4.0.tar.gz from the list of files. The file size is 175K.

    3. Use winscp to download and transfer the software from your windows machine to the AIX machine. If you use any other suitable software, first transfer the software to the /tmp or /root path.

    4. Log in as user root.

  3. Compile pam_radius-1.4.0.

    1. Extract the tar file from the folder where you have downloaded pam_radius-1.4.0.tar.gz.

      $ gunzip pam_radius-1.4.0.tar.gz tar xvf pam_radius-1.4.0.tar

    2. Modify the pam_radius-1.4.0/src/pam_radius_auth.h file by running the following commands.

      $ cd pam_radius-1.4.0

      $ vi src/pam_radius_auth.h

    3. On line 80, add # define __sun, just before #ifndef CONST, as shown in the following example, and then save the changes.

      /*************************************************************************

      * Platform specific defines *

      *************************************************************************/

      #define __sun

      #ifndef CONST

      # if defined(__sun) || defined(__linux__) || defined(__FreeBSD__) || defined(__APPLE__)

      /*

    4. Configure and compile the changes.

      $ ./configure

      $ ./make

    5. Run the following command to generate position-independent code.

      $ gcc -fPIC -c src/pam_radius_auth.c -o pam_radius_auth.o

    6. Run the following command to instruct the linker to create a shared object.

      $ gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so

  4. Copy the pam_radius_auth.so file to /usr/lib/security/.

    $ cp pam_radius_auth.so /usr/lib/security/

  5. Configure the RADIUS server in pam_radius.

    $ mkdir /etc/raddb

    $ cp pam_radius_auth.conf /etc/raddb/server

    $ chown root /etc/raddb

    $ chmod go-rwx /etc/raddb

    $ chmod go-rwx /etc/raddb/server

  6. Add the RADIUS server hostname or IP address.

    #Server

    Secret

    Timeout

    IP/FQDN

    MySecret

    60

    where:

    • The IP Address / FQDN is that of the SecureAuth Identity Platform appliance.

    • MySecret is the shared secret used in the appliance.radius.properties file on the SecureAuth Identity Platform appliance, under the SA RADIUS Configuration Folder.

    • 60 is the number of seconds for communication between the servers.

  7. Enable SSH for pam_radius authentication using PAM. Add the following lines at the end of /etc/pam.conf to enable SSH to use pam_radius.

    #SSHD

    sshd auth required /usr/lib/security/pam_radius_auth.so

    sshd account required /usr/lib/security/pam_aix

    sshd password required /usr/lib/security/pam_aix

    sshd session required /usr/lib/security/pam_aix

    When completed, the following line is added: auth required pam_radius_auth.so

    Because of updated se_linux kernels, you must add a hash tag ( # ) if auth substack password-auth is present.

  8. Modify the /etc/security/login.cfg file.

    Change auth_type = STD_AUTH to auth_type = PAM_AUTH

  9. Update the following parameter in /etc/ssh/sshd_config.

    1. Edit to ensure that PasswordAuthentication no is enabled and does not include a hash tag ( # ).

      #PasswordAuthentication yes

      PasswordAuthentication no

    2. Edit to ensure that PermitEmptyPasswords no is enabled and does not include a hash tag ( # ).

      #PermitEmptyPasswords yes

      PermitEmptyPasswords no

    3. Edit to ensure that UsePrivilegeSeparation no is enabled and does not include a hash tag ( # ).

      #UsePrivilegeSeparation yes

      UsePrivilegeSeparation no

    4. Edit to ensure that ChallengeResponseAuthentication yes is enabled and does not include a hash tag ( # ).

      ChallengeResponseAuthentication yes

      #ChallengeResponseAuthentication no

    5. Edit to ensure that UsePAM yes is enabled and does not include a hash tag ( # ).

      #UsePAM no

      UsePAM yes

  10. Restart the SSHD service.

    $ stopsrc -s sshd ; startsrc -s sshd