How can I use PAM + RADIUS authentication for SSH access on Linux?
I would like to replicate this exact setup: https://www.youtube.com/watch?v=q85XSvhN-NY
Is there a specific PAM module I have to use? We already have a few RADIUS Agents on AD servers that are used when authenticating via VPN. Does anyone have experience setting this up? Any guides or references that you used that could make my life a bit easier?
I want to let you know that the setup you are looking for is not recommended by Okta because it can have some security concerns.
If this is what you are seeking these are the steps :
Enabling Linux PAM RADIUS Auth sudo apt-get install libpam-radius-auth sudo vim /etc/pam_radius_auth.conf Comment out other Radius server pointing to localhost Add our own Radius server (tab separated) and give us 30 seconds to return a response 10.1.1.1:1812 this_password_should_be_30_plus_chars_long 30 sudo vim /etc/pam.d/sshd add the following line: auth sufficient pam_radius_auth.so above already existing line @include common-auth sudo vim /etc/ssh/sshd_config uncomment or add: ChallengeResponseAuthentication yes restart ssh sudo service ssh restart or pkill -HUP ssh Testing Authentication Create user for linux (No Password) that matches a valid Okta user useradd -m oktauser Note: you can create user names with @ in them and it will work in linux and Okta Note: username might be firstname.lastname@example.org, but you can create one that matches just the first part and it will authenticate (might be non-deterministic when 2 people have the same user name but different domains) Watch the Logs and Login tail -f /var/log/auth or /var/log/secure ssh email@example.com
RFC Details https://tools.ietf.org/html/rfc2865 The NAS and RADIUS server share a secret. That shared secret followed by the Request Authenticator is put through a one-way MD5 hash to create a 16 octet digest value which is xored with the password entered by the user, and the xored result placed in the User-Password attribute in the Access-Request packet.