Monday, September 30, 2013

Using Radius authentication with SSH

The following will configure your linux-based SSH server to use a pre-defined radius server for authentication instead of plain password authentication.  You must configure the radius server before starting this configuration.  This is for Linux 64-bit bit but for 32-bit just change package names from .x86_64 to i686.:

·         Download install package (make sure the server can access the internet via port 80/443)
# yum install freeradius pam_radius.x86_64 pam_radius.x86_64 pam.x86_64 
type y when it asks you if this is OK, hit ENTER
·         Edit the conf file
# nano /etc/pam_radius.conf
·         Add the correct radius server info as follows
192.168.1.5        secret      5
192.168.1.6         secret      5
·         Use CTRL-O to save the file and CTRL-X to exit.
·         Set file permissions
# chmod 600 /etc/pam_radius.conf
·         edit the sshd_config file
# nano /etc/ssh/sshd_config
o   Uncomment the line PubkeyAuthentication yes
o   Uncomment the line UsePAM yes
Save and exit the file
·         edit the pam sshd config file
# nano /etc/pam.d/sshd
Move the first line down to become the second line.   This line needs to be the first line:
auth       sufficient   /lib/security/pam_radius_auth.so debug client_id=linux
Notes:
o   The first line must be listed as above.  If the default first line is still listed, radius will not authenticate properly.  
o   If you do NOT wish to allow standard password authentication WITH radius authentication, you can # comment the second line to force all auth requests to use dual factor.
o   If the machine is 64 bit, change /lib to /lib64
·         Enable standard authentication to switch users
# nano /etc/pam.d/su
·         Move this line to the top of the list.  This will allow you to auth using radius, but change user using normal password.
auth            include         system-auth
Save and exit the file.
·         Edit the system auth file
# nano /etc/pam.d/system-auth
·         Comment out this line
password    requisite     pam_cracklib.so try_first_pass retry=3
and add these lines to replace it
# password complexity requirements
password    requisite     pam_passwdqc.so min=disabled,disabled,12,8,7 retry=3
·         In the “auth” section toward the top, add these lines
# lock out users after 10 failed attempts
auth        required      pam_tally.so onerr=fail deny=5unlock_time=21600
·         restart the sshd service
# service sshd restart
·         Test Radius Authentication
o   Make sure the user account is valid, you have to add the user account to linux before it will auth using pam.
o   Make sure the server IP is listed in the radius CLIENTS file.  If it’s a new server, chances are it has not yet been added.
o   Check /var/log/secure for failures.  If you see PAM [error: /lib64/security/pam_radius_auth.so: cannot open shared object file then that .so file is not installed. It’s easiest to just copy the file from another server that is working or you can google the rpm for pam_radius_auth
·         If radius auth works, update the sshd_config file to forbid root login
# nano /etc/ssh/sshd_config
o   Uncomment the line PermitRootLogin no or change the value to no
o   Uncomment the line PermitEmptyPasswords no and make sure it is set to no
·         Save and exit.

·         set always on
chkconfig --level 35 sshd on

No comments:

Post a Comment