Using Radius authentication with SSH

-
The following will configure your linux-based SSH server to use a pre-defined radius server for authentication instead of plain password authentication.  You must configure the radius server before starting this configuration.  This is for Linux 64-bit bit but for 32-bit just change package names from .x86_64 to i686.:

·         Download install package (make sure the server can access the internet via port 80/443)
# yum install freeradius pam_radius.x86_64 pam_radius.x86_64 pam.x86_64 
type y when it asks you if this is OK, hit ENTER
·         Edit the conf file
# nano /etc/pam_radius.conf
·         Add the correct radius server info as follows
192.168.1.5        secret      5
192.168.1.6         secret      5
·         Use CTRL-O to save the file and CTRL-X to exit.
·         Set file permissions
# chmod 600 /etc/pam_radius.conf
·         edit the sshd_config file
# nano /etc/ssh/sshd_config
o   Uncomment the line PubkeyAuthentication yes
o   Uncomment the line UsePAM yes
Save and exit the file
·         edit the pam sshd config file
# nano /etc/pam.d/sshd
Move the first line down to become the second line.   This line needs to be the first line:
auth       sufficient   /lib/security/pam_radius_auth.so debug client_id=linux
Notes:
o   The first line must be listed as above.  If the default first line is still listed, radius will not authenticate properly.  
o   If you do NOT wish to allow standard password authentication WITH radius authentication, you can # comment the second line to force all auth requests to use dual factor.
o   If the machine is 64 bit, change /lib to /lib64
·         Enable standard authentication to switch users
# nano /etc/pam.d/su
·         Move this line to the top of the list.  This will allow you to auth using radius, but change user using normal password.
auth            include         system-auth
Save and exit the file.
·         Edit the system auth file
# nano /etc/pam.d/system-auth
·         Comment out this line
password    requisite     pam_cracklib.so try_first_pass retry=3
and add these lines to replace it
# password complexity requirements
password    requisite     pam_passwdqc.so min=disabled,disabled,12,8,7 retry=3
·         In the “auth” section toward the top, add these lines
# lock out users after 10 failed attempts
auth        required      pam_tally.so onerr=fail deny=5unlock_time=21600
·         restart the sshd service
# service sshd restart
·         Test Radius Authentication
o   Make sure the user account is valid, you have to add the user account to linux before it will auth using pam.
o   Make sure the server IP is listed in the radius CLIENTS file.  If it’s a new server, chances are it has not yet been added.
o   Check /var/log/secure for failures.  If you see PAM [error: /lib64/security/pam_radius_auth.so: cannot open shared object file then that .so file is not installed. It’s easiest to just copy the file from another server that is working or you can google the rpm for pam_radius_auth
·         If radius auth works, update the sshd_config file to forbid root login
# nano /etc/ssh/sshd_config
o   Uncomment the line PermitRootLogin no or change the value to no
o   Uncomment the line PermitEmptyPasswords no and make sure it is set to no
·         Save and exit.

·         set always on
chkconfig --level 35 sshd on

Comments

Post a Comment

Popular posts from this blog

Scion xB 2005 - Fuel Filter replacement DIY

-
Image
Warning: this is for educational purposes only.  Neither I nor anyone else on the planet is responsible for your stupid decisions and lack of thinking.  The information provided here is the best of my documenting ability and nothing more.  Like ANYTHING on the internet, it should not be considered as the full truth with no missing pieces.  If I leave anything out, it's your responsibility to find the rest of the puzzle.   ie, if you blow your car or yourself into a million pieces, it's YOUR fault. Note:  This took a lot more effort than I had anticipated even with the other DIY articles I found on this subject.  I personally will be paying someone to do it for me next time.  If you decide to take this on, I suggest you go ahead an replace the fuel pump while you are at it, as long as you have at least 60,000 miles on the toaster.  My pump died at 94k miles. Before you begin, make sure you have access to tools as you will need a wide range of them.  You will find out what s
Read more

Flashing Firmware to Creality CR-10 S5

-
Image
There are plenty of firmware flashing guides out there for CR-10 models, but not yet a lot for the CR-10 S5 model.  So I had to figure out how to flash the firmware based on what was available for other models. To  understand what is required, please refer to this video.  It has all of the major steps needed. This post is not meant as a full guide.  It's merely supplemental information that applies to the video below meant for the S5 model's of the CR-10 series.  https://www.youtube.com/watch?v=7J7NYnxL5vA So the basic idea is the CR-10's do NOT have a bootloader installed by default.  So in order to flash the firmware, you first have to burn the bootloader.  This can be done via an arduino because the CR-10's all use an arduino as their main processor. The CR-10 normally has a jumper to switch to USB power.  the S5 does not have this.  You can just disconnect the 120/240v power and plug in the USB cable and it will power the S5 board.   You wil need the boar
Read more