Documentation

Introduction

Use this guide to configure the SecureAuth IdP appliance as a RADIUS server to allow Multi-Factor Authentication for SSH clients into a Linux / Unix estate.

Multiple forms of Multi-Factor Authentication options are supported, including OTP, TOTP, and Push methods.

The SecureAuth IdP RADIUS Server can authenticate requests from any RADIUS client, enabling strong, secure authentication into VPNs, Linux/Unix servers, or any compliant RADIUS client.

With SecureAuth's RADIUS Server v2.0+, the following authentication methods are available for use:

  • SMS / Text Message OTP
  • Phone (Voice) OTP
  • Email OTP
  • Push Notification OTP
  • Push-to-Accept Login Request
  • PIN

Be advised that PAM RADIUS is a free software, and SecureAuth does not take responsibility for its support

Prerequisites

1. Configure SecureAuth IdP as a RADIUS Server

2. Have a Linux / Unix server and Linux / RADIUS experience

3. Have user enrolled for OTP authentication (provisioned in SecureAuth998) stored in enterprise directory

4. Have user with equivalent username (as in enterprise directory) stored on Linux machine

5. Have SSHD running and connectivity tested from a suitable SSH client

6. Download FreeRADIUS to the target Linux / Unix platform

Download the current version of FreeRADIUS here

This creates PAM RADIUS modules and requires GCC

Installation / Configuration Steps

vim and vi are interchangeable for this installation and configuration of PAM RADIUS on the SecureAuth IdP appliance

Step 1

$ sudo yum install gcc pam pam-devel make -y

Step 2

$ sudo wget ftp://ftp.freeradius.org/pub/radius/pam_radius-x.x.x.tar.gz
$ sudo tar xvzf pam_radius-x.x.x.tar.gz
$ cd pam_radius-x.x.x
$ sudo ./configure
$ sudo make

Step 3 (32-bit or 64-bit)

32-bit
$ cp pam_radius_auth.so /lib/security/
64-bit
$ cp pam_radius_auth.so /lib64/security/

Step 4

$ sudo vim /etc/ssh/sshd_config   

Edit to ensure that ChallengeResponseAuthentication yes is enabled and does not include a #

Should appear as follows:

ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

Edit to ensure that UsePAM yes is enabled and does not include a #

Should appear as follows:

#UsePAM no
UsePAM yes

Step 5

$ sudo vim /etc/pam.d/sshd   

Edit to appear as follows:

auth	required	pam_sepermit.so
auth	required	pam_radius_auth.so
#auth	substack	password-auth
auth	include		password-auth

auth required pam_radius_auth.so is added

Due to updated se_linux kernels, # must be added, if auth substack password-auth is present

Step 6

$ sudo mkdir /etc/raddb

Step 7

$ sudo vim /etc/raddb/server

Add the following:

#Server		Secret		Timeout
IP/FQDN		MySecret	60

The IP Address / FQDN is that of the SecureAuth IdP appliance; MySecret is the shared secret used in the appliance.radius.properties on the SecureAuth IdP appliance, under the SA RADIUS Configuration Folder; 60 is the number of seconds for communication between the servers 

OPTIONAL STEPS

Option: Configure sudo to use PAM RADIUS

Edit this file to let the same SSH prompt invoked by the end-user for 2-Factor Authentication execute the sudo command:

$ sudo vim /etc/pam.d/sudo 

Replace:

auth	include		system-auth

with:

auth	required	pam_radius_auth.so

Option A (Step 5)

Used for scripts running machine-2-machine that cannot process 2-Factor Authentication

$ sudo vim /etc/pam.d/sshd

Edit appears as follows:

auth	required	pam_sepermit.so
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth	sufficient	pam_radius_auth.so
auth	include		password-auth

auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf and auth sufficient pam_radius_auth.so lines are added

Option B (Step 5)

If using the PAM module on CentOS running on Windows Server 2012 R2, make these edits to enable access to SecureAuth IdP and local users:

auth	required	pam_sepermit.so
auth [success=1 default=ignore] pam_succeed_if.so user ingroup LOCALGROUP
auth	sufficient	pam_radius_auth.so
auth	sufficient  pam_unix.so

Lines added:

auth [success=1 default=ignore] pam_succeed_if.so user ingroup LOCALGROUP

auth sufficient pam_radius_auth.so and

auth sufficient pam_unix.so

$ sudo vim /etc/security/access-local.conf

Add the following:

# List of IP's or ranges to bypass 2FA
+ : ALL : IP or IP range to bypass 2FA
+ : ALL : LOCAL
- : ALL : ALL

vim and vi are interchangeable for this installation and configuration of PAM RADIUS on the SecureAuth IdP appliance, and is also assuming that ssh is installed and configured on the Linux server before this installation / configuration

Step 1

$ sudo apt-get install libpam-radius-auth libpam0g-dev gcc

Step 2

$ sudo vi /etc/ssh/sshd_config

Edit to ensure that ChallengeResponseAuthentication yes is enabled and does not include a #

Should appear as follows:

ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

Edit to ensure that UsePAM yes is enabled and does not include a #

Should appear as follows:

#UsePAM no
UsePAM yes

Step 3

$ sudo vi /etc/pam.d/sshd

At the beginning of the file, add the line:

auth      sufficient       pam_radius_auth.so

Step 4

$ sudo vi /etc/pam_radius_auth.conf

Add the following:

# server[:port]     shared_secret       timeout (s)
IP/FQDN            	MySecret            60

The IP Address / FQDN is that of the SecureAuth IdP appliance; MySecret is the shared secret used in the appliance.radius.properties on the SecureAuth IdP appliance, under the SA RADIUS Configuration Folder; 60 is the number of seconds for communication between the servers

Step 5

$ sudo mkdir /etc/raddb
$ sudo cp /etc/pam_radius_auth.conf /etc/raddb/server 

Step 6

$ sudo service ssh restart