Skip to main content

Linux PAM RADIUS (SSH)

Prerequisites

  • A Linux machine that:
    • Supports the PAM RADIUS package.
    • Has an SSH server installed and configured to authenticate remote users (eg. via AD/LDAP).
  • A Windows machine running the Single Agent.

1. SecurEnvoy RADIUS Profile

  1. Go to Integration > Premises and add a new RADIUS profile.
  2. Enter the RADIUS configuration settings:
    • Friendly name.
    • Server Port.
    • Assigned Agent.
    • The IP address of the Linux machine.
    • The Shared Secret for the RADIUS connection.
  3. (Optional) Enable the 'Message Authenticator' and 'Brute Force Protection' options.
  4. Save the configuration.

2. PAM RADIUS Config

  1. On the Linux machine, install or build the 'libpam-radius-auth' package.
  2. Open the pam_radius_auth config file: sudo nano /etc/pam_radius_auth.conf.
  3. In the server section, comment out the example servers.
  4. On a new line in the server section, enter the IP address of the Single Agent, the shared secret, and a timeout of 20. Don't enter a source_ip or vrf.
# server[:port]     shared_secret       timeout (s)     source_ip      vrf
#127.0.0.1          secret              3
192.168.0.1         secretpassword      20
  1. Save and exit the file by pressing ctrl+x, then y.

3. SSH PAM Config

  1. On the Linux machine, open the sshd pam config file: sudo nano /etc/pam.d/sshd.
  2. On a new line in the first section of the file, add: auth sufficient pam_radius_auth.so.
  3. Save and exit the file by pressing ctrl+x, then y.
auth sufficient

If 'auth sufficient' is set in step 3.2 the PAM module will failover in the event of a radius connection failure and bypass MFA. Setting 'auth required' will prevent this but also prevent local accounts that do not exist in Access Management from logging in via ssh. It is recommended to have an alternative logon method for local accounts, or to have a domain user with sudo privileges.

4. SSHD Config

  1. On the Linux machine, open the SSHD config file: sudo nano /etc/ssh/sshd_config.
  2. Make sure that 'UsePAM' is set to 'yes'.
  3. Make sure that 'KbdInteractiveAuthentication' is set to 'yes'.
  4. Save and exit the file by pressing ctrl+x, then y.

5. Test logging in with a user

  1. Open a new ssh connection and log in as a domain user.
challenge not supported

If you don't want to use realtime codes or push notifications for ssh auth (for example if you are also using pam radius with a display manager that doesn't support access-challenge) you can configure this by commenting out '@include common-auth' in the etc/pam.d/sshd file. If you do not do this and attempt to authenticate using your password+otp in one line the authentication will fail before it reaches pam_radius.