This guide will help you quickly set up SSH to use FreeRADIUS for authentication. Please remember this is not fully automatic, meaning we always have to add a user to the system for them to be able to log in to SSH; we don’t set a pass for the user in SSH. That’s where FreeRADIUS comes in.
Let’s get started. First, we need to install some packages required by the pam radius module to compile:
yum install gcc pam pam-devel make -y
Once that’s completed – let’s download the pam radius module onto your server
wget https://src.fedoraproject.org/repo/pkgs/pam_radius/pam_radius-2.0.0.tar.gz
Decompress it:
tar -xzvf pam_radius-2.0.0.tar.gz
Move to its directory:
cd pam_radius-release_2_0_0
Compile it
./configure
make
Now you should have a file called “pam_radius_auth.so” you want to move this file to /lib/security/ or /lib64/security/ depending on what you’re running.
cp pam_radius_auth.so /lib64/security/
Create the configuration directory and copy the configuration file under the name ‘server’:
mkdir /etc/raddb
cp pam_radius_auth.conf /etc/raddb/server
Edit /etc/raddb/server and add your radius server IP and the shared secret to this file.
# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
radius_server_IP secret 3
#
# having localhost in your radius configuration is a Good Thing.
Now open up /etc/pam.d/sshd and add the pam_radius_auth.so just before the top line like below:
#%PAM-1.0
auth required pam_sepermit.so
auth required pam_radius_auth.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
Save it and ensure you have added this server as a client in FreeRADIUS to allow this server to authenticate.
Now that’s you pretty much done, all you need to do now is create a user on the local system like below:
useradd -d /home/premiervpn/ premiervpn
We don’t add any password for this user. This is where FreeRADIUS comes in. You will need to use a password match in FreeRADIUS for this username.