- This line was added.
- This line was removed.
- Formatting was changed.
The plug-in modular nature of PAM is used to get a Linux server to use RADIUS to authenticate users connecting via SSH.
This article describes how to setup a CentOS server as RADIUS client and Nexus Hybrid Digital Access Gateway as as RADIUS server. The pam_radius_module is used to provide the mechanism of authenticating ssh logins.
This article also describes how to enable Nexus OTP in Nexus Smart ID Digital Access component (Hybrid Access Gateway) as two-factor authentication method for SSH login on Linux, to replace static passwords.
Nexus TruID is used as an example below and is available for iOS, Android, and Windows.
- Add user account in Digital Access
- Authentication methods in Digital Access
- Deploy Hybrid Access Gateway and do initial setupDigital Access component
- Smart ID Digital Access component (Hybrid Access Gateway)
- Smart ID Mobile App (Personal Mobile)
- Set up RADIUS client in Digital Access
Network schematic with Nexus TruID Synchronized as an example.
Configure Linux server
To build a radius client module for the CentOS Linux server, follow these instructions.
The pam_radius_auth security module is not available in yum repository. To create it you need to install these tools:
This will tell the SSH service/daemon to use the RADIUS protocol and server for authentication. With this configuration the SSHD will also check local system account passwords as a fall back. This means you can log in as root or other Unix local accounts should your RADIUS server be offline.
Make settingsin Hybrid
in Digital AccessGateway
Nexus TruID Synchronized is used as an example. Other Nexus OTP authentication methods are enabled in a similar way.
Example: SSH Login to the CentOS System