The plug-in modular nature of PAM is used to get a Linux server to use RADIUS to authenticate users connecting via SSH.
This article describes how to setup a CentOS server as RADIUS client and Digital Access as RADIUS server. The pam_radius_module is used to provide the mechanism of authenticating ssh logins.
This article also describes how to enable Nexus OTP in Smart ID Digital Access component (Hybrid Access Gateway) as two-factor authentication method for SSH login on Linux, to replace static passwords.
Nexus TruID is used as an example below and is available for iOS, Android, and Windows.
Network schematic with Nexus TruID Synchronized as an example.
- The administrator configures CentOS Server to use RADIUS authentication.
- The incoming authentication request is relayed over to Digital Access Authentication Server via RADIUS.
- If the user exists, it then checks the token associated with the user for the expected PIN + One-time password
- Once the PIN + One-time password is verified against the user’s token and it is valid, it will then send an access accepted
- Deployed Digital Access, see Deploy Digital Access component
Configure Linux server
To build a radius client module for the CentOS Linux server, follow these instructions.
The pam_radius_auth security module is not available in yum repository. To create it you need to install these tools:
- Install the correct C compiler using the following command:
yum install gcc-c++
- Install the pam development module using this command:
yum install pam-devel
- Download the radius PAM module here: ftp://ftp.freeradius.org/pub/radius/
The version that has been used for this document is pam_radius-1.3.17.tar.gz
Download the module to a temporary folder where you can build the software from, for example, a directory called pam under the root users home directory: /root/pam.
Once the file is downloaded, unzip the file with this command:
Untar the file with this command:
The contents is unpacked into a directory structure like this: /root/pam/pam_radius-1.3.17
Navigate to this directory and enter this command:
The system compiles with something like the following output:
A file called pam_radius_auth.so is created. Copy this file to the /lib/security/ or /lib64/security folder, depending on whether you run a 32bit or 64bit CentOS version.
Create a user you wish to login as on the CentOS system, in this example the user is called testuser:
You do not need to set a password for this Unix user since your radius account is used to provide the password.
Create a directory under the /etc folder called raddb:
Copy the sample client configuration file pam_radius_auth.conf to /etc/raddb/server:
Open the /etc/raddb/server in an editor, for example, vi.
In this section, add a line that represents your RADIUS server (HAG):
- Enter your server’s hostname or IP address and a shared secret used to assign in this file and on your RADIUS server. Make a note of this password.
- In this example the RADIUS server "nexus Auth IP" is added with a shared secret of "123456". So after editing the file looks like this:
- Edit the /etc/pam.d/sshd file. This file controls the authentication method for sshd service which facilitates SSH logins. We need to tell it to use the /lib/security/pam_radius_auth.so file we created and compiled earlier.
Before the top line:
add this line:
So the first two lines will look like this:
sufficientshould be substituted by
requiredafter the SSH login has been successfully tested.
This will tell the SSH service/daemon to use the RADIUS protocol and server for authentication. With this configuration the SSHD will also check local system account passwords as a fall back. This means you can log in as root or other Unix local accounts should your RADIUS server be offline.
You are changing the authentication method for logging in to your CentOS box via SSH. Make sure you can get into it via console (monitor mouse and keyboard) in case this goes wrong and you get locked out of SSH.
Make settings in Digital Access
- Log in to Digital Access Admin with an administrator account.
In step 3, enter the IP Address of the RADIUS Client (CentOS Server) and the Shared Secret Key. Make sure you use the same shared secret that you supplied during the configuration of the RADUIS client configuration.
- In Digital Access Admin, go to Manage System.
- Click RADIUS Configuration > Add RADIUS Client...
- Enter General Settings and Attributes. Click the ?-sign for help.
- Click Save.
Nexus TruID Synchronized is used as an example. Other Nexus OTP authentication methods are enabled in a similar way.
- In step 3, select Nexus Synchronized as method.
- When the default RADIUS replies are shown, click Next. You can also add your custom RADIUS replies or modify the default replies if required.
To add a new authentication method:
- In Digital Access Admin, go to Manage System.
- Click Authentication Methods.
Click Add authentication method..., select the desired method and click Next.
- Enter Display Name, a unique name used in the system to identify the authentication method.
- Select if the method shall be enabled and if it shall be visible in authentication menu.
- Register Authentication Methods Server when applicable.
- Make other configurations as needed for the selected authentication method. For more information , click the ?-sign. Click Next.
- If needed, make settings in RADIUS Replies and Extended Properties.
- Click Next and Finish.
- Click Publish.
- In Digital Access, add the user account. Select TruID as authentication method.
Example: SSH Login to the CentOS System
- Start an SSH (Secure Shell) client and supply IP address, username and port of the CentOS system, for example:
- When you are prompted to enter the password, start Nexus TruID that is installed on your laptop or smartphone - Enter your PIN to generate an OTP.
Use the OTP as the password for the SSH prompt.
You can temporarily disable Firewall on CentOS system during troubleshooting.
- Make sure that the RADIUS data traffic is not blocked by any firewall.
- Temporarily switch off the firewall of the RADIUS client system (CentOS) with this command:
systemctl stop firewalldand see if the error persists.