How to Set Up SSH to Authenticate off FreeRADIUS on CentOS 7

This guide will help you quickly set up SSH to use FreeRADIUS for authentication. Please remember this is not fully automatic, meaning we always have to add a user to the system for them to be able to log in to SSH; we don’t set a pass for the user in SSH. That’s where FreeRADIUS comes in.

Let’s get started. First, we need to install some packages required by the pam radius module to compile:

yum install gcc pam pam-devel make -y

Once that’s completed – let’s download the pam radius module onto your server

wget https://src.fedoraproject.org/repo/pkgs/pam_radius/pam_radius-2.0.0.tar.gz

Decompress it:

tar -xzvf pam_radius-2.0.0.tar.gz

Move to its directory:

cd pam_radius-release_2_0_0

Compile it

./configure
make

Now you should have a file called “pam_radius_auth.so” you want to move this file to /lib/security/ or /lib64/security/ depending on what you’re running.

cp pam_radius_auth.so /lib64/security/

Create the configuration directory and copy the configuration file under the name ‘server’:

mkdir /etc/raddb
cp pam_radius_auth.conf /etc/raddb/server

Edit /etc/raddb/server and add your radius server IP and the shared secret to this file.

# server[:port] shared_secret      timeout (s)
127.0.0.1       secret             1
radius_server_IP    secret             3
#
# having localhost in your radius configuration is a Good Thing.

Now open up /etc/pam.d/sshd and add the pam_radius_auth.so just before the top line like below:

#%PAM-1.0
auth	   required	pam_sepermit.so
auth       required     pam_radius_auth.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

Save it and ensure you have added this server as a client in FreeRADIUS to allow this server to authenticate.

Now that’s you pretty much done, all you need to do now is create a user on the local system like below:

useradd -d /home/premiervpn/ premiervpn

We don’t add any password for this user. This is where FreeRADIUS comes in. You will need to use a password match in FreeRADIUS for this username. 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.