0D50Z00008C3jX0SAJOkta Classic EngineMulti-Factor AuthenticationAnswered2024-04-30T09:18:25.000Z2018-01-10T23:06:43.000Z2019-11-27T23:57:24.000Z

j5v7c (j5v7c) asked a question.

Edited by varun.kavoori1.5210444522562532E12 September 5, 2018 at 1:19 AM
How can I use PAM + RADIUS authentication for SSH access on Linux?
Hi!

 

I would like to replicate this exact setup: https://www.youtube.com/watch?v=q85XSvhN-NY

 

Is there a specific PAM module I have to use? We already have a few RADIUS Agents on AD servers that are used when authenticating via VPN. Does anyone have experience setting this up? Any guides or references that you used that could make my life a bit easier? 

 

Thanks!
  • 4 answers
  • 7.71K views

  • j5v7c (j5v7c)

    Hi Merwyn,

     

    I want to let you know that the setup you are looking for is not recommended by Okta because it can have some security concerns. 

     

    If this is what you are seeking these are the steps :

     

    Enabling Linux PAM RADIUS Auth

    sudo apt-get install libpam-radius-auth

    sudo vim /etc/pam_radius_auth.conf

    Comment out other Radius server pointing to localhost

    Add our own Radius server (tab separated) and give us 30 seconds to return a response

    10.1.1.1:1812   this_password_should_be_30_plus_chars_long   30

    sudo vim /etc/pam.d/sshd

    add the following line:

    auth sufficient pam_radius_auth.so

    above already existing line

    @include common-auth

    sudo vim /etc/ssh/sshd_config

    uncomment or add:

    ChallengeResponseAuthentication yes

    restart ssh

    sudo service ssh restart or pkill -HUP ssh

    Testing Authentication

    Create user for linux (No Password) that matches a valid Okta user

    useradd -m oktauser

    Note: you can create user names with @ in them and it will work in linux and Okta

    Note: username might be oktauser@okta.com, but you can create one that matches just the first part and it will authenticate (might be non-deterministic when 2 people have the same user name but different domains)

    Watch the Logs and Login

    tail -f /var/log/auth or /var/log/secure

    ssh oktauser@127.0.0.1

     

    RFC Details

    https://tools.ietf.org/html/rfc2865

    The NAS and RADIUS server share a secret. That shared secret followed by the Request Authenticator is put through a one-way MD5 hash to create a 16 octet digest value which is xored with the password entered by the user, and the xored result placed in the User-Password attribute in the Access-Request packet.

     

    Thank you!
    Expand Post

  • LesS.97640 (Customer)

    Robert,

    Since you have security concerns about this approach, is there another way to use Okta (and Okta MFA) to provide authentication for a linux server?

  • JeffreyC.65895 (Customer)

    I have the same question. What exactly are the "security concerns" referenced here?

  • gy2d7 (gy2d7)

    @jeffrey

    MD5 is broken and its almost equivalent to sending passwords in cleartext. Its even worse in this scenario as this is a password to the SSO solution effectively granting access to all okta integrated applications.

This question is closed.

Recommended content

No recommended content found...