Skip to main content

PAM RADIUS installation and configuration guide

Updated June 30, 2023

Use this guide to configure the SecureAuth Identity Platform appliance as a RADIUS server to allow multi-factor authentication (MFA) for SSH clients into a Linux or Unix estate.

Multiple forms of MFA options are supported, including one-time passcode (OTP), time-based one-time passcode (TOTP), and push methods.

The SecureAuth Identity Platform RADIUS server can authenticate requests from any RADIUS client, enabling strong, secure authentication into virtual private networks (VPNs), Linux or Unix servers, or any compliant RADIUS client.

With SecureAuth's RADIUS Server v2.0+, the following authentication methods are available for use:

  • SMS / Text Message OTP

  • Phone (Voice) OTP

  • Email OTP

  • Push Notification OTP

  • Push-to-Accept Login Request

  • PIN

Note

PAM RADIUS is free software, and SecureAuth does not take responsibility for its support.

Prerequisites

  • Install a SeureAuth RADIUS server

  • Have a Linux or Unix server and Linux or RADIUS experience

  • Have a user enrolled for OTP authentication (provisioned in SecureAuth998) stored in an enterprise directory

  • Have a user with an equivalent username (as in enterprise directory) stored on a Linux machine

  • Have secure shell daemon (SSHD) running and connectivity tested from a suitable SSH client

  • Download FreeRADIUS to the target Linux or Unix platform

Tip

Download the current version of FreeRADIUS. This creates PAM RADIUS modules and requires the GNU Compiler Collection (GCC).

Installation and configuration steps

The following instructions are for the following Linux or Unix platforms: RedHat/CentOS, Ubuntu, and AIX.

vim and vi are interchangeable for this installation and configuration of PAM RADIUS on the SecureAuth Identity Platform appliance.

  1. Run the following command:

    $ sudo yum install gcc pam pam-devel make -y
  2. At the prompt, enter the following lines:

    $ sudo wget ftp://ftp.freeradius.org/pub/radius/pam_radius-x.x.x.tar.gz
    $ sudo tar xvzf pam_radius-x.x.x.tar.gz
    $ cd pam_radius-x.x.x
    $ sudo ./configure
    $ sudo make 

    Tip

    The preceding set of lines does the following things:

    • wget – Downloads the pam_radius file. In this case, it's compressed as a .tar.gz.

    • tar – This command decompresses the file.

    • The three lines that follow run the configure command from the specified folder then runs make which creates and installs the applications as a package

    The cp commands that follow in Step 3 are for copying files.

  3. Depending on the bit size, one of the following lines enter one of the following lines:

    For 32-bit, enter this line:

    $ cp pam_radius_auth.so /lib/security/
    

    For 64-bit, enter this line:

    $ cp pam_radius_auth.so /lib64/security/
    
  4. Enter this prompt:

    $ sudo vim /etc/ssh/sshd_config

    Tip

    vim is an excellent text editor, but includes some pretty complicated controls for a person unfamiliar with it. We suggest substituting the vi/vim commands for nano, which is usually available as well and is more friendly to beginners.

  5. Edit the lines for ChallengeResponseAuthentication like the following:

    ChallengeResponseAuthentication yes
    #ChallengeResponseAuthentication no 
    

    Tip

    These lines enable or disable the ability to have a challenge response on your requests. For the end user, this is the confirmation box where you can select to authenticate with SMS, EMAIL, HOTP.

    When this setting is no or has the # sign at the start, it is disabled.

  6. Edit the lines for UsePAM like the following:

    UsePAM yes
    #UsePAM no
  7. Enter this vim prompt:

    $ sudo vim /etc/pam.d/sshd
  8. The code line that follows should define the required authentication parameter, like one of these:

    auth required pam_sepermit.so
    auth sufficient pam_radius_auth.so
    #auth substack password_auth
    auth include password-auth

    Because of updated se_linux kernels, a hashtag ( # ) must be prefaced if auth substack password-auth appears.

    When completed, a line like the following is added:

    auth required pam_radius_auth.so

    Tip

    The preceding lines specify the required setting since an update to Linux.

  9. To define the RADIUS server for this appliance, enter these code line prompts for the next two lines:

    $ sudo mkdir /etc/raddb
    $ sudo vim /etc/raddb/server

    Where /server appears, provide the RADIUS server hostname or IP address in the following format:

    #server[:port]    shared_secret    timeout(s)
    IP/FQDN           MySecret         60

    where:

    IP/FQDN

    The IP address or hostname for this SecureAuth Identity platform appliance.

    MySecret

    The shared secret used in the appliance.radius.properties file on the SecureAuth Identity Platform appliance, under the SA RADIUS Configuration folder.

    60

    The number of seconds for communication between the servers.

Option: Configure sudo to use PAM RADIUS

  1. Edit this file to enable the same SSH prompt invoked by the end user for two-factor authentication to execute the sudo command in this manner:

    $ sudo vim /etc/pam.d/sudo
  2. Replace the first line auth include system-auth with the following line:

    auth required pam_radius_auth.so

Option A for Step 7

  1. Use this option for scripts running machine-to-machine that cannot process two-factor authentication.

    $ sudo vim /etc/pam.d/sshd
  2. The edit should look like the following:

    auth required pam_sepermit.so
    auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
    auth sufficient pam_radius_auth.so
    auth include  password-auth
  3. When completed, the following lines are added:

    auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
    auth sufficient pam_radius_auth.so
    

Option B for Step 7

  1. If you are using the PAM module on CentOS running on Windows Server 2012 R2, make the following edits to enable access to SecureAuth IdP and local users:

    auth required pam_sepermit.so
    auth [success=1 default=ignore] pam_succeed_if.so user ingroup LOCALGROUP
    auth sufficient pam_radius_auth.so
    auth sufficient pam_unix.so
  2. When completed, the following lines are added:

    auth [success=1 default=ignore] pam_succeed_if.so user ingroup LOCALGROUP
    auth sufficient pam_radius_auth.so
    auth sufficient pam_unix.so
    
  3. Then, enter the following line:

    $ sudo vim /etc/security/access-local.conf
  4. And add the following lines:

    # List of IP's or ranges to bypass 2FA
    + : ALL : IP or IP range to bypass 2FA
    + : ALL : LOCAL
    - : ALL : ALL

vim and vi are interchangeable for this installation and configuration of PAM RADIUS on the SecureAuth Identity Platform appliance. Also assume that ssh is installed and configured on the Linux server before this installation and configuration.

  1. Enter these two command line prompts:

    $ sudo apt-get install libpam-radius-auth libpam0g-dev gcc
    $ sudo vi /etc/ssh/sshd_config

    Tip

    apt-get is the Debian package manager. It does the same thing as the yum command in RedHat, downloading and installing packages.

    In this case, ibpam-radius-auth and libpam0g-dev are libraries required for SA-Radius and gcc, which is a packet of tools normally already installed in some Linux distros.

  2. Edit the lines for ChallengeResponseAuthentication like the following:

    ChallengeResponseAuthentication yes
    #ChallengeResponseAuthentication no 
    

    Tip

    These lines enable or disable the ability to have a challenge response on your requests. For the end user, this is the confirmation box where you can select to authenticate with SMS, EMAIL, HOTP.

    When this setting is no or has the # sign at the start, it is disabled.

  3. Edit the lines for UsePAM like the following:

    UsePAM yes
    #UsePAM no
  4. Enter this command line:

    $ sudo vi /etc/pam.d/sshd
  5. At the beginning of the file, add the following line:

    auth  sufficient   pam_radius_auth.so
  6. Enter this command line:

    $ sudo vi /etc/pam_radius_auth.conf
  7. Add the RADIUS server hostname or IP address using this format:

    #server[:port]    shared_secret    timeout(s)
    IP/FQDN           MySecret         60

    where:

    IP/FQDN

    The IP address or hostname for this SecureAuth Identity platform appliance.

    MySecret

    The shared secret used in the appliance.radius.properties file on the SecureAuth Identity Platform appliance, under the SA RADIUS Configuration folder.

    60

    The number of seconds for communication between the servers.

  8. Enter these command lines:

    $ sudo mkdir /etc/raddb
    $ sudo cp /etc/pam_radius_auth.conf /etc/raddb/server

    Tip

    mkdir creates a folder and cp copies files. This two-line command copies the default configuration for the database server to the newly created folder.

  9. Restart the SSHD service using this command:

    $ sudo service ssh restart

The following steps give general setup guidance; refer to your PAM RADIUS documentation for specific setup instructions.

  1. Download and install the server configuration dependencies.

    1. Download the following 22 dependencies for pam_radius in a /tmp directory.

      gcc

      info

      libsigsegv-devel

      mpfr

      gcc-c++

      libcommon

      libstdc++

      mpfr-devel

      gcc-cpp

      libcommon-devel

      libstdc++-devel

      zlib

      gettext

      libgcc

      lzlib

      zlib-devel

      gmp

      libmpc

      lzlib-devel

      gmp-devel

      libisgsegv

      m4

    2. Change directory with this command:

      cd /tmp
    3. Log in in as user root.

    4. Use the rpm command to install the packages.

      The following is an example:

      $ cd /tmp
      $ rpm -Uvh gcc-4.8.3-1.aix7.1.ppc.rpm gcc-c++-4.8.3-1.aix7.1.ppc.rpm gettext-0.10.40-8.aix5.2.ppc.rpm gmp-6.0.0a-1.aix5.1.ppc.rpm gmp-devel-6.0.0a-1. aix5.1.ppc.rpm info-5.1-2.aix5.1.ppc.rpm libcommon-0.97.3-1.aix5.1.ppc.rpm libcommon-devel-0.97.3-1.aix5.1.ppc.rpm libgcc-4.8.3-1.aix7.1.ppc.rpm ibmpc-1.0.3-1.aix5.1.ppc.rpm libstdc++-4.8.3-1.aix7.1.ppc.rpm libstdc++-devel-4.8.3-1.aix7.1.ppc.rpm m4-1.4.17-1.aix5.1.ppc.rpm gcc-cpp-4.8.3-1.aix7.1. ppc.rpm libsigsegv-2.10-1.aix5.2.ppc.rpm libsigsegv-devel-2.10-1.aix5.2.ppc.rpm lzlib-1.6-1.aix5.1.ppc.rpm lzlib-devel-1.6-1.aix5.1.ppc.rpm mpfr-3.1.3-1. aix5.1.ppc.rpm mpfr-devel-3.1.3-1.aix5.1.ppc.rpm zlib-1.2.4-2.aix5.1.ppc.rpm zlib-devel-1.2.4-2.aix5.1.ppc.rpm
  2. Download AIX pam_radius-1.4.0.

    1. To download pam_radius-1.4.0, go to this link: http://ftp.cc.uoc.gr/mirrors/ftp.freeradius.org/

    2. From the list of files, select pam_radius-1.4.0.tar.gz.

    3. Use winscp to download and transfer the software from your windows machine to the AIX machine. If you use any other suitable software, first transfer the software to the /tmp or /root path.

    4. Log in as user root.

  3. Compile pam_radius-1.4.0 using these steps.

    1. Extract the tar file from the folder where you have downloaded pam_radius-1.4.0.tar.gz.

      $ gunzip pam_radius-1.4.0.tar.gz tar xvf pam_radius-1.4.0.tar
    2. Modify the pam_radius-1.4.0/src/pam_radius_auth.h file by running the following commands.

      $ cd pam_radius-1.4.0
      $ vi src/pam_radius_auth.h
    3. On line 80, add # define __sun, just before #ifndef CONST, as shown in the following example, and then save the changes.

      /*************************************************************************
      * Platform specific defines *
      *************************************************************************/
      #define __sun
      #ifndef CONST
      # if defined(__sun) || defined(__linux__) || defined(__FreeBSD__) || defined(__APPLE__)
      /*
    4. Configure and compile the changes.

      $ ./configure
      $ ./make
    5. Run the following command to generate position-independent code.

      $ gcc -fPIC -c src/pam_radius_auth.c -o pam_radius_auth.o
    6. Run the following command to instruct the linker to create a shared object.

      $ gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so
  4. Copy the pam_radius_auth.so file to /usr/lib/security/.

    $ cp pam_radius_auth.so /usr/lib/security/
  5. Configure the RADIUS server in pam_radius using these lines.

    $ mkdir /etc/raddb
    $ cp pam_radius_auth.conf /etc/raddb/server
    $ chown root /etc/raddb
    $ chmod go-rwx /etc/raddb
    $ chmod go-rwx /etc/raddb/server
  6. Add the RADIUS server hostname or IP address using this format:

    #server[:port]    shared_secret    timeout(s)
    IP/FQDN           MySecret         60

    where:

    IP/FQDN

    The IP address or hostname for this SecureAuth Identity platform appliance.

    MySecret

    The shared secret used in the appliance.radius.properties file on the SecureAuth Identity Platform appliance, under the SA RADIUS Configuration folder.

    60

    The number of seconds for communication between the servers.

  7. Enable SSH for pam_radius authentication using PAM.

    Add the following lines at the end of /etc/pam.conf to enable SSH to use pam_radius.

    #SSHD
    sshd auth required /usr/lib/security/pam_radius_auth.so
    sshd account required /usr/lib/security/pam_aix
    sshd password required /usr/lib/security/pam_aix
    sshd session required /usr/lib/security/pam_aix

    When completed, the following line is added:

    auth required pam_radius_auth.so

    Because of updated se_linux kernels, you must add a hashtag ( # ) if auth substack password-auth is present like this:

    # auth substack password-auth
  8. Modify the /etc/security/login.cfg file. Change auth_type = STD_AUTH to:

    auth_type = PAM_AUTH
  9. Update the following parameters in /etc/ssh/sshd_config.

    1. Edit to make sure that PasswordAuthentication no is enabled and does not include a hashtag ( # ).

    2. Edit to make sure that PermitEmptyPasswords no is enabled and does not include a hashtag ( # ).

    3. Edit to make sure that UsePrivilegeSeparation no is enabled and does not include a hashtag ( # ).

    4. Edit to make sure that ChallengeResponseAuthentication yes is enabled and does not include a hashtag ( # ).

    5. Edit to make sure that UsePAM yes is enabled and does not include a hashtag ( # ).

    The resulting code looks like this:

    #PasswordAuthentication yes
    PasswordAuthentication no
    
    #PermitEmptyPasswords yes
    PermitEmptyPasswords no
    
    #UsePrivilegeSeparation yes
    UsePrivilegeSeparation no
    
    ChallengeResponseAuthentication yes
    #ChallengeResponseAuthentication no
    
    UsePAM yes
    #UsePAM no
    
  10. Restart the SSHD service.

    $ stopsrc -s sshd ; startsrc -s sshd