Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: updated to Smart ID names

The plug-in modular nature of PAM is used to get a Linux server to use RADIUS to authenticate users connecting via SSH.

This article describes how to setup a CentOS server as RADIUS client and Nexus Hybrid Digital Access Gateway as as RADIUS server. The pam_radius_module is used to provide the mechanism of authenticating ssh logins.

This article also describes how to enable Nexus OTP in Nexus Smart ID Digital Access component (Hybrid Access Gateway) as two-factor authentication method for SSH login on Linux, to replace static passwords.

Nexus OTP can be either Nexus TruID Synchronized or Smart ID Mobile App (Personal Mobile) OTP, or any other OATH-based mobile OTP application, such as Google Authenticator or Microsoft Authenticator. 

Nexus TruID is used as an example below and is available for iOS, Android, and Windows. 


Expandall


Expand
titleNetwork schematic for Nexus OTP authentication

Network schematic with Nexus TruID Synchronized as an example.


  1. The administrator configures CentOS Server to use RADIUS authentication.
  2. The incoming authentication request is relayed over to Hybrid  Digital Access Gateway Authentication Server via RADIUS.
  3. If the user exists, it then checks the token associated with the user for the expected PIN + One-time password
  4. Once the PIN + One-time password is verified against the user’s token and it is valid, it will then send an access accepted



Prerequisites

Expand
titlePrerequisites

Configure Linux server

To build a radius client module for the CentOS Linux server, follow these instructions.


Expand
titleInstall development tools

The pam_radius_auth security module is not available in yum repository. To create it you need to install these tools:

  1. Install the correct C compiler using the following command: yum install gcc-c++
  2. Install the pam development module using this command: yum install pam-devel


Expand
titleDownload and compile PAM RADIUS source files
  1. Download the radius PAM module here: ftp://ftp.freeradius.org/pub/radius/
    The version that has been used for this document is pam_radius-1.3.17.tar.gz
  2. Download the module to a temporary folder where you can build the software from, for example, a directory called pam under the root users home directory: /root/pam.

  3. Once the file is downloaded, unzip the file with this command:

    Code Block
    gunzip /root/pam/pam_radius-1.3.17.tar.gz


  4. Untar the file with this command:

    Code Block
    tar -xvf /root/pam/pam_radius-1.3.17.tar

    The contents is unpacked into a directory structure like this: /root/pam/pam_radius-1.3.17

  5. Navigate to this directory and enter this command: make

    The system compiles with something like the following output:

    Panel

    cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o
    pam_radius_auth.c: In function talk_radius:
    pam_radius_auth.c:886: warning: pointer targets in passing argument 6 of recvfrom differ in signedness
    pam_radius_auth.c: In function pam_sm_authenticate:
    pam_radius_auth.c:1102: warning: assignment from incompatible pointer type
    cc -Wall -fPIC -c -o md5.o md5.c
    ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so


  6. A file called pam_radius_auth.so is created. Copy this file to the /lib/security/ or /lib64/security folder, depending on whether you run a 32bit or 64bit CentOS version.

    Code Block
    cp pam_radius_auth.so /lib64/security



Expand
titleConfigure CentOS server to use RADIUS authentication
  1. Create a user you wish to login as on the CentOS system, in this example the user is called testuser:

    Code Block
    useradd -d /home/testuser/ testuser


    Note

    You do not need to set a password for this Unix user since your radius account is used to provide the password.


  2. Create a directory under the /etc folder called raddb:

    Code Block
    mkdir /etc/raddb


  3. Copy the sample client configuration file pam_radius_auth.conf to /etc/raddb/server:

    Code Block
    cp /root/pam/pam_radius-1.3.17/pam_radius_auth.conf /etc/raddb/server


  4. Open the /etc/raddb/server in an editor, for example, vi.

  5. In this section, add a line that represents your RADIUS server (HAG):

    1. Enter your server’s hostname or IP address and a shared secret used to assign in this file and on your RADIUS server. Make a note of this password.
    2. In this example the RADIUS server "nexus Auth IP" is added with a shared secret of "123456". So after editing the file looks like this:

  6. Edit the /etc/pam.d/sshd file. This file controls the authentication method for sshd service which facilitates SSH logins. We need to tell it to use the /lib/security/pam_radius_auth.so file we created and compiled earlier.
    Before the top line:

    add this line:

    So the first two lines will look like this:

    sufficient should be substituted by required after the SSH login has been successfully tested.

This will tell the SSH service/daemon to use the RADIUS protocol and server for authentication. With this configuration the SSHD will also check local system account passwords as a fall back. This means you can log in as root or other Unix local accounts should your RADIUS server be offline.

Note

You are changing the authentication method for logging in to your CentOS box via SSH. Make sure you can get into it via console (monitor mouse and keyboard) in case this goes wrong and you get locked out of SSH.


Make settings

in Hybrid

in Digital Access

Gateway

Expand
titleLog in to Hybrid Digital Access Gateway administration interfaceAdmin
  1. Log in to the Hybrid Access Gateway administration interface with your admin userDigital Access Admin with an administrator account.


Expand
titleAdd CentOS system as RADIUS client


Note

In step 3, enter the IP Address of the RADIUS Client (CentOS Server) and the Shared Secret Key. Make sure you use the same shared secret that you supplied during the configuration of the RADUIS client configuration.

Excerpt Include
Set up RADIUS client in Digital Access
Set up RADIUS client in Digital Access
nopaneltrue


Expand
titleEnable authentication method

Nexus TruID Synchronized is used as an example. Other Nexus OTP authentication methods are enabled in a similar way.

Note
  • In step 3, select Nexus Synchronized as method.
  • When the default RADIUS replies are shown, click Next. You can also add your custom RADIUS replies or modify the default replies if required.

Excerpt Include
Set up authentication method in Digital Access
Set up authentication method in Digital Access
nopaneltrue


Expand
titleEnable 2FA for the testuser
  1. In Hybrid Digital Access Gateway, add the user account. Select TruID as authentication method.

Example: SSH Login to the CentOS System

Expand
titleExample: Use Nexus TruID as 2FA for SSH Login to the CentOS System
  1. Start an SSH (Secure Shell) client and supply IP address, username and port of the CentOS system, for example:
  2. When you are prompted to enter the password, start Nexus TruID that is installed on your laptop or smartphone - Enter your PIN to generate an OTP.

  3. Use the OTP as the password for the SSH prompt.


Expand
titleTroubleshooting


Tip

You can temporarily disable Firewall on CentOS system during troubleshooting.

  1. Make sure that the RADIUS data traffic is not blocked by any firewall.
  2. Temporarily switch off the firewall of the RADIUS client system (CentOS) with this command: systemctl stop firewalld and see if the error persists.