These instructions were written specifically for setting up two-factor authentication with WiKID, but can be applied to any PAM set up.
First, you need to install PAM Radius. The PAM Radius home page is here.
Download the tar file (as of this writing 1.4.0 was the latest).
Build the libary:
tar -xzvf pam-radius-x.x.x.tar.gz
Copy the resulting shared library to /lib/security:
$ sudo cp pam_radius_auth.so /lib/security/
Or for 64-bit systems:
cp pam_radius_auth.so /lib64/security/
Edit /etc/pam.d/sshd to allow Radius authentication:
$ sudo vi /etc/pam.d/sshd
N.B.: Distributions of linux have different pam.d file formats. Please check with your distribution for specific suggestions. These instructions work for Fedora/Redhat/Centos.
Go to the first line of the file, hit the Insert key or the i key and insert this line:
auth required /lib/security/pam_radius_auth.so
The “sufficient” tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. We recommend "Required" to require strong authentication.
Write the file and quit. Hit the Esc key to exit insert mode and type “:wq”
Edit or create your /etc/raddb/server file. There is a sample here.
Below the line:
127.0.0.1 secret 1
Add this line, substituting your routableIPAddress:
routableIPaddress shared_secret 1
Assuming that you already have a domain you would like to use, configure a network client with the routableIPaddress and the shared secret you used in the /etc/raddb/server file. You will have to stop and start the WiKID server after configuring the new Radius Network Client.
Set up a WiKID Strong Authentication client and login using WiKID ;).
The WiKID Strong Authentication System is a very reasonably priced two-factor authentication solution. We invite you to learn more about our technology and architecture and to download and test the Enterprise version.