Here is my configuration information for autheticating an SSH session with RADIUS with PAM.
http://www.freeradius.org/pam_radius_auth/
Edit /etc/pam.d/sshd
#%PAM-1.0M-1.0
# auth required pam_stack.so service auth required pam_radius_auth.so #auth required pam_nologin.so #account required pam_stack.so service=system-auth account required pam_radius_auth.so password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so
Copy the pam_radius_auth.so module to /lib/security
Create a directory /etc/raddb Create a file called /etc/raddb/server
Edit /etc/raddb/server
# pam_radius_auth configuration file. Copy to: /etc/raddb/server # # For proper security, this file SHOULD have permissions 0600, # that is readable by root, and NO ONE else. If anyone other than # root can read this file, then they can spoof responses from the server! # # There are 3 fields per line in this file. There may be multiple # lines. Blank lines or lines beginning with '#' are treated as # comments, and are ignored. The fields are: # # server[:port] secret [timeout] # # the port name or number is optional. The default port name is # "radius", and is looked up from /etc/services The timeout field is # optional. The default timeout is 3 seconds. # # If multiple RADIUS server lines exist, they are tried in order. The # first server to return success or failure causes the module to return # success or failure. Only if a server fails to response is it skipped, # and the next server in turn is used. # # The timeout field controls how many seconds the module waits before # deciding that the server has failed to respond. # # server[:port] shared_secret timeout (s) #127.0.0.1 secret 1 #other-server other-secret 3 10.1.123.15:1812 radiussecret 3
# # having localhost in your radius configuration is a Good Thing. # # See the INSTALL file for pam.conf hints.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
