Radius PAM RHEL8 Authentication for SSH
Step-by-Step Guide to Configure pam_radius on RHEL
Make sure that the machine has access to the Freeradius server. Veridium Freeradius service is not available on internet, but just on intranet. Changing the Logon and Unlock modules can block the user access to the machine when there is no access to the Freeradius server (e.g. if the Freeradius is available only through VPN)
1. Install Required Packages
First, install the pam_radius module.
sudo dnf install pam_radiusThis will install the PAM module: /lib64/security/pam_radius_auth.so
2. Edit the RADIUS Configuration File
Edit the configuration file for the PAM RADIUS module:
sudo nano /etc/raddb/server Or depending on the version, it might be:
sudo nano /etc/pam_radius.conf
# server[:port] shared_secret timeout (s) source_ip vrf
IPWEBAPP1:1812 PasspordFromVeridium 30
IPWEBAPP2:1812 PasspordFromVeridium 30
IPWEBAPP1 and 2 are the IPs of veridium server.
PasspordFromVeridium is the password configured for this configuration in veridium. Please see this link on how to configure a freeradius veridium client: https://docs.veridiumid.com/docs/v3.7.2/freeradius-service-configuration
Configure PAM to Use RADIUS
Edit the PAM service configuration file. For example, to enable RADIUS for sshd:
sudo nano /etc/pam.d/sshdAdd this line at the top (before any auth lines that allow local access):
auth sufficient pam_radius_auth.so4. Enable ChallengeResponseAuthentication and disable SSH Key Authentication
Edit the SSH daemon config to allow PAM:
sudo nano /etc/ssh/sshd_configEnsure the following lines are set:
ChallengeResponseAuthentication yes
UsePAM yes
#AuthenticationMethods publickey
PubkeyAuthentication noRestart SSH:
sudo systemctl restart sshd5. Keep SSH Keys but Require 2FA (RADIUS After SSH Key)
Allow SSH key login as usual.
Use PAM to enforce a second factor via RADIUS.
In /etc/pam.d/sshd, use:
auth sufficient pam_radius_auth.so And in /etc/ssh/sshd_config, ensure:
AuthenticationMethods publickey,keyboard-interactive
PubkeyAuthentication yesThis tells SSH: "Even if they have a key, also ask for keyboard-interactive (PAM)."
Restart SSH:
sudo systemctl restart sshd6. Login with Password and Require 2FA (RADIUS after password) for all non ROOT users.
Allow SSH key login as usual.
Use PAM to enforce a second factor via RADIUS.
In /etc/pam.d/sshd, use:
auth required pam_unix.so
auth [success=1 default=ignore] pam_succeed_if.so uid < 1000
auth required pam_radius_auth.so force_prompt prompt=veridium
auth substack password-auth
auth include postloginAnd in /etc/ssh/sshd_config, ensure:
PermitRootLogin yes
PubkeyAuthentication no
PasswordAuthentication yes
ChallengeResponseAuthentication yes
UsePAM yesWorkable /etc/ssh/sshd_config example:
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
SyslogFacility AUTHPRIV
LoginGraceTime 60
PermitRootLogin yes
MaxAuthTries 10
PubkeyAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
AllowTcpForwarding no
X11Forwarding no
PermitUserEnvironment no
ClientAliveInterval 600
UseDNS no
Banner /etc/issue.net
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server