How can I use PAM + RADIUS authentication for SSH access on Linux? Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Merwyn CarrillosMerwyn Carrillos 

How can I use PAM + RADIUS authentication for SSH access on Linux?


I would like to replicate this exact setup:

Is there a specific PAM module I have to use? We already have a few RADIUS Agents on AD servers that are used when authenticating via VPN. Does anyone have experience setting this up? Any guides or references that you used that could make my life a bit easier? 

Robert AlsuaRobert Alsua (Okta, Inc.)
Hi Merwyn,

I want to let you know that the setup you are looking for is not recommended by Okta because it can have some security concerns. 

If this is what you are seeking these are the steps :
Enabling Linux PAM RADIUS Auth
sudo apt-get install libpam-radius-auth
sudo vim /etc/pam_radius_auth.conf
Comment out other Radius server pointing to localhost
Add our own Radius server (tab separated) and give us 30 seconds to return a response   this_password_should_be_30_plus_chars_long   30
sudo vim /etc/pam.d/sshd
add the following line:
auth sufficient
above already existing line
@include common-auth
sudo vim /etc/ssh/sshd_config
uncomment or add:
ChallengeResponseAuthentication yes
restart ssh
sudo service ssh restart or pkill -HUP ssh
Testing Authentication
Create user for linux (No Password) that matches a valid Okta user
useradd -m oktauser
Note: you can create user names with @ in them and it will work in linux and Okta
Note: username might be, but you can create one that matches just the first part and it will authenticate (might be non-deterministic when 2 people have the same user name but different domains)
Watch the Logs and Login
tail -f /var/log/auth or /var/log/secure
ssh oktauser@
RFC Details
The NAS and RADIUS server share a secret. That shared secret followed by the Request Authenticator is put through a one-way MD5 hash to create a 16 octet digest value which is xored with the password entered by the user, and the xored result placed in the User-Password attribute in the Access-Request packet.

Thank you!
Les StroudLes Stroud
Since you have security concerns about this approach, is there another way to use Okta (and Okta MFA) to provide authentication for a linux server?