Skip to main content
Skip table of contents

Set up Nexus OTP as 2FA for SSH login on Linux

The plug-in modular nature of PAM is used to get a Linux server to use RADIUS to authenticate users connecting via SSH.

This article describes how to setup a CentOS server as RADIUS client and Digital Access as RADIUS server. The pam_radius_module is used to provide the mechanism of authenticating ssh logins.

This article also describes how to enable Nexus OTP in Smart ID Digital Access component as two-factor authentication method for SSH login on Linux, to replace static passwords.

Nexus OTP can be either Nexus TruID Synchronized or Smart ID Mobile App OTP, or any other OATH-based mobile OTP application, such as Google Authenticator or Microsoft Authenticator. 

Nexus TruID is used as an example below and is available for iOS, Android, and Windows. 

Network schematic for Nexus OTP authentication

Network schematic with Nexus TruID Synchronized as an example.


  1. The administrator configures CentOS Server to use RADIUS authentication.
  2. The incoming authentication request is relayed over to Digital Access Authentication Server via RADIUS.
  3. If the user exists, it then checks the token associated with the user for the expected PIN + One-time password
  4. Once the PIN + One-time password is verified against the user’s token and it is valid, it will then send an access accepted
Prerequisites

Configure Linux server

To build a radius client module for the CentOS Linux server, follow these instructions.


Install development tools

The pam_radius_auth security module is not available in yum repository. To create it you need to install these tools:

  1. Install the correct C compiler using the following command: yum install gcc-c++
  2. Install the pam development module using this command: yum install pam-devel
Download and compile PAM RADIUS source files
  1. Download the radius PAM module here: ftp://ftp.freeradius.org/pub/radius/
    The version that has been used for this document is pam_radius-1.3.17.tar.gz

  2. Download the module to a temporary folder where you can build the software from, for example, a directory called pam under the root users home directory: /root/pam.

  3. Once the file is downloaded, unzip the file with this command:

    CODE 
    gunzip /root/pam/pam_radius-1.3.17.tar.gz

  4. Untar the file with this command:

    CODE 
    tar -xvf /root/pam/pam_radius-1.3.17.tar

    The contents is unpacked into a directory structure like this: /root/pam/pam_radius-1.3.17

  5. Navigate to this directory and enter this command: make

    The system compiles with something like the following output:

    cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o
    pam_radius_auth.c: In function talk_radius:
    pam_radius_auth.c:886: warning: pointer targets in passing argument 6 of recvfrom differ in signedness
    pam_radius_auth.c: In function pam_sm_authenticate:
    pam_radius_auth.c:1102: warning: assignment from incompatible pointer type
    cc -Wall -fPIC -c -o md5.o md5.c
    ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so

  6. A file called pam_radius_auth.so is created. Copy this file to the /lib/security/ or /lib64/security folder, depending on whether you run a 32bit or 64bit CentOS version.

    CODE 
    cp pam_radius_auth.so /lib64/security
Configure CentOS server to use RADIUS authentication

  1. Create a user you wish to login as on the CentOS system, in this example the user is called testuser:

    CODE 
    useradd -d /home/testuser/ testuser

    You do not need to set a password for this Unix user since your radius account is used to provide the password.

  2. Create a directory under the /etc folder called raddb:

    CODE 
    mkdir /etc/raddb

  3. Copy the sample client configuration file pam_radius_auth.conf to /etc/raddb/server:

    CODE 
    cp /root/pam/pam_radius-1.3.17/pam_radius_auth.conf /etc/raddb/server

  4. Open the /etc/raddb/server in an editor, for example, vi.

  5. In this section, add a line that represents your RADIUS server (HAG):

    1. Enter your server’s hostname or IP address and a shared secret used to assign in this file and on your RADIUS server. Make a note of this password.
    2. In this example the RADIUS server "nexus Auth IP" is added with a shared secret of "123456". So after editing the file looks like this:

  6. Edit the /etc/pam.d/sshd file. This file controls the authentication method for sshd service which facilitates SSH logins. We need to tell it to use the /lib/security/pam_radius_auth.so file we created and compiled earlier.
    Before the top line:

    add this line:

    So the first two lines will look like this:

    sufficient should be substituted by required after the SSH login has been successfully tested.

This will tell the SSH service/daemon to use the RADIUS protocol and server for authentication. With this configuration the SSHD will also check local system account passwords as a fall back. This means you can log in as root or other Unix local accounts should your RADIUS server be offline.

You are changing the authentication method for logging in to your CentOS box via SSH. Make sure you can get into it via console (monitor mouse and keyboard) in case this goes wrong and you get locked out of SSH.

Make settings in Digital Access

Log in to Digital Access Admin
  1. Log in to Digital Access Admin with an administrator account.
Add CentOS system as RADIUS client

In step 3, enter the IP Address of the RADIUS Client (CentOS Server) and the Shared Secret Key. Make sure you use the same shared secret that you supplied during the configuration of the RADUIS client configuration.

  1. In Digital Access Admin, go to Manage System.

  2. Click RADIUS Configuration > Add RADIUS Client...

  3. Enter General Settings and Attributes. Click the ?-sign for help.

  4. Click Save.

Enable authentication method

Nexus TruID Synchronized is used as an example. Other Nexus OTP authentication methods are enabled in a similar way.

  • In step 3, select Nexus Synchronized as method.
  • When the default RADIUS replies are shown, click Next. You can also add your custom RADIUS replies or modify the default replies if required.

To add a new authentication method:

  1. In Digital Access Admin, go to Manage System.
  2. Click Authentication Methods.

  3. Click Add authentication method..., select the desired method and click Next.

  4. Enter Display Name, a unique name used in the system to identify the authentication method.
  5. Select if the method shall be enabled and if it shall be visible in authentication menu.
  6. Register Authentication Methods Server when applicable.
  7. Make other configurations as needed for the selected authentication method. For more information , click the ?-sign. Click Next.
  8. If needed, make settings in RADIUS Replies and Extended Properties.
  9. Click Next and Finish.
  10. Click Publish.
Enable 2FA for the testuser
  1. In Digital Access, add the user account. Select TruID as authentication method.

Example: SSH Login to the CentOS System

Example: Use Nexus TruID as 2FA for SSH Login to the CentOS System
  1. Start an SSH (Secure Shell) client and supply IP address, username and port of the CentOS system, for example:
  2. When you are prompted to enter the password, start Nexus TruID that is installed on your laptop or smartphone - Enter your PIN to generate an OTP.

  3. Use the OTP as the password for the SSH prompt.

Troubleshooting

You can temporarily disable Firewall on CentOS system during troubleshooting.

  1. Make sure that the RADIUS data traffic is not blocked by any firewall.
  2. Temporarily switch off the firewall of the RADIUS client system (CentOS) with this command: systemctl stop firewalld and see if the error persists.

Related information

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close