How to Set Up SSH to Authenticate off FreeRADIUS on CentOS 7

This guide will help you quickly set up SSH to use FreeRADIUS for authentication. Please remember this is not fully automatic, meaning we always have to add a user to the system for them to be able to log in to SSH; we don’t set a pass for the user in SSH. That’s where FreeRADIUS comes in.

Let’s get started. First, we need to install some packages required by the pam radius module to compile:

yum install gcc pam pam-devel make -y

Once that’s completed – let’s download the pam radius module onto your server


Decompress it:

tar -xzvf pam_radius-2.0.0.tar.gz

Move to its directory:

cd pam_radius-release_2_0_0

Compile it


Now you should have a file called “” you want to move this file to /lib/security/ or /lib64/security/ depending on what you’re running.

cp /lib64/security/

Create the configuration directory and copy the configuration file under the name ‘server’:

mkdir /etc/raddb
cp pam_radius_auth.conf /etc/raddb/server

Edit /etc/raddb/server and add your radius server IP and the shared secret to this file.

# server[:port] shared_secret      timeout (s)       secret             1
radius_server_IP    secret             3
# having localhost in your radius configuration is a Good Thing.

Now open up /etc/pam.d/sshd and add the just before the top line like below:

auth	   required
auth       required
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional prepare
account    required
account    include      password-auth
password   include      password-auth
# close should be the first session rule
session    required close
session    required
# open should only be followed by sessions to be executed in the user context
session    required open env_params
session    required
session    optional force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional prepare

Save it and ensure you have added this server as a client in FreeRADIUS to allow this server to authenticate.

Now that’s you pretty much done, all you need to do now is create a user on the local system like below:

useradd -d /home/premiervpn/ premiervpn

We don’t add any password for this user. This is where FreeRADIUS comes in. You will need to use a password match in FreeRADIUS for this username. 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.