How to configure Pam-radius in Ubuntu

The best way to add two-factor authentication to any system is by using strong standard protocols.

Each flavor of linux handles PAM slightly differently.  This tutorial covers how to install pam-radius for two-factor authentication on Ubuntu.

First, install the package:

$ sudo apt-get install libpam-radius-auth

That was pretty painless. Now let's configure it.  First, let's tell pam_radius which radius server to talk to:

$ sudo vim /etc/pam_radius_auth.conf 

Note that the file says to copy it to /etc/raddb/server, but DO NOT do that.

Edit the line "other-server    other-secret       3"  replacing 'other-server' with IP address or hostname of your WiKID Strong Authentication server (or radius server if you have one set up in between WiKID and your servers) and change 'other-secret' the shared secret for this network client.

Now that the package is setup and pointing to your WiKID server, let's configure a service to use it.

Edit your /etc/pam.d/sshd file and add the line:

auth       sufficient  pam_radius_auth.so

Just above:

# Standard Un*x authentication.
@include common-auth

Now, you are ready to test. I recommend you run 'tail -f /var/log/auth.log' while you test.

Note that we have not made any changes to the account setup, so the user is expected to have a local account on the machine or you can configure that via LDAP auth using windbind to AD.  For a tutorial on configuring pam_radius for two-factor authentication on Redhat flavors of Linux, please see this guide.

 

Did this free content help you?  Please share it with others via Twitter!

Need two-factor authentication? Download a free trial of the WiKID Strong Authentication Server today!

Thanks for responding so fast! Great service.

INFOSEC PRO
SAN DIEGO, USA