How to configure SSH authentication to a FreeRADIUS server
How to configure SSH authentication to a FreeRADIUS server
Spread the love

Find out how to configure FreeRADIUS as an SSH authentication server on Ubuntu.

If you have various admin users who log in to your Linux servers in your data center, you might want to have better control over the authentication of those accounts. Of course, one of the most secure methods is using SSH key authentication (which you should be using). But there might be an occasion that warrants using a central authentication server for SSH. Should that be the case, you can always make use of FreeRADIUS (see: How to install the daloRADIUS web-based interface for FreeRADIUS for instructions on how to install both FreeRADIUS and the web-based interface, daloRADIUS).

If that sounds like something you might want to try, read on.

What you’ll need

To make this authentication system work, you’ll need the following:

  • A functioning FreeRADIUS server
  • A user account with sudo privileges
  • IP Address(es) for servers to be logged into via SSH

For the purpose of this tutorial, I’ll be demonstrating on Ubuntu Server 18.04. The IP addresses I’ll use are:

  • 192.168.1.216 – FreeRADIUS server
  • 192.168.1.16 – Client Server A

How to install the necessary authentication package

The first thing to be done is to install and configure the necessary authentication package on Client Server A. Log in to that server and issue the command:

sudo apt-get install libpam-radius-auth

How to configure the client server

Once you’ve done that, configure libpam-radius-auth with the necessary information. Issue the command:

sudo nano /etc/pam_radius_auth.conf

In that file, look for the line:

127.0.0.1       secret 1

Below that line, add the following:

192.168.1.216 PASSWORD 3

Make sure to change the IP address to match that of your FreeRADIUS server and change PASSWORD to a strong, unique password.

Save and close the file.

Set the permissions for that file with the command:

sudo chmod 0600 /etc/pam_radius_auth.conf

Next we must configure the login requirements. To do that, issue the command:

sudo nano /etc/pam.d/login

Near the top of that file (under the auth optional pam_faildelay.so entry), add the following:

auth       sufficient pam_radius_auth.so

In that same file, locate the @include common-auth entry and add the following above it:

/etc/pam.d/sshd

Save and close the file.

Issue the command:

sudo nano /etc/pam.d/common-auth

Change the following line:

auth [success=1 default=ignore] pam_unix.so nullok_secure

To:

auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass

Save and close the file.

Finally, on Client Server A, add the usernames (without passwords) who will be logging in via SSH with the command:

sudo useradd -m USERNAME

Where USERNAME is the name of the user to be added.

How to configure the FreeRADIUS server

Now that you’re done with the client, let’s configure the server. On the FreeRADIUS server, issue the command:

sudo nano /etc/freeradius/3.0/clients.conf

In the Define Radius Clients section (near the top), add the following:

client A {
ipaddr = 192.168.1.16
secret = PASSWORD
}

Make sure to change the IP address to that of your client server and set PASSWORD as the same password you used in the pam_radius_auth.conf file on the client server.

Save and close the file.

Now we add users. Issue the command:

sudo nano /etc/freeradius/3.0/users

In that file, you’ll add a line for every user that needs to log into the client server. The line to be added (for each user) looks like:

USERNAME Cleartext-Password := "PASSWORD"

Where USERNAME is the user on the client server and PASSWORD is the password to be used for SSH login.

Add as many user entries as necessary remembering that each user must have a password-less account on the client server.

Save and close the file.

Restart FreeRADIUS with the command:

sudo systemctl restart freeradius

At this point you should then be able to SSH into the client server from any machine on your network with the credentials you’ve configured on the FreeRADUIS server.

Also see

Isometric Lock, Padlock, Keyhole. Cyber security and information or network protection. Future cyber technology web services for business and internet project.

Image: Getty Images/iStockphoto

Let’s block ads! (Why?)

Facebook Comments

Leave a Reply

Close Menu
%d bloggers like this: