Pam Radius How to

How to use WiKID Strong Authentication for SSH logins on Linux using PAM

These instructions were written specifically for setting up two-factor authentication with WiKID, but can be applied to any PAM set up.

First, you need to install PAM Radius. The PAM Radius home page is here.

Download the tar file (as of this writing 1.3.17 was the latest).


$ make

Copy the resulting shared library to /lib/security:

$ sudo cp /lib/security/

Edit /etc/pam.d/sshd to allow Radius authentication:

$ sudo vi  /etc/pam.d/sshd

N.B.: Distributions of linux have different pam.d file formats. Please check with your distribution for specific suggestions. These instructions work for Fedora/Redhat/Centos.

Go to the first line of the file, hit the Insert key or the i key and insert this line:

auth        sufficient     /lib/security/

The “sufficient” tag indicates that if the Radius authentication succeeds then no additional authentication will be required. However, if the Radius authentication fails, a username and password from the system will work. Use "Required" to require strong authentication.

Write the file and quit. Hit the Esc key to exit insert mode and type “:wq”

Edit or create your /etc/raddb/server file.  There is a sample here.

vi /etc/raddb/server

Below the line:       secret      1

Add this line, substituting your routableIPAddress:

routableIPaddress      shared_secret      1

Assuming that you already have a domain you would like to use, configure a network client with the routableIPaddress and the shared secret you used in the /etc/raddb/server file. You will have to stop and start the WiKID server after configuring the new Radius Network Client.

Set up a WiKID Strong Authentication client and login using WiKID ;).

The WiKID Strong Authentication System is a very reasonably priced two-factor authentication solution. We invite you to learn more about our technology and architecture and to download and test the Enterprise version.

Document Actions

Ever since deploying WiKID, we  have  secured our Production systems from unauthorized access and maintained PCI compliance