Friday, September 25, 2009

Configure Radius Authentication for SSH login Centos 5.2 Linux

Using the plug-in modular nature of PAM we can get a linux server to use RADIUS to authenticate users connecting via SSH. This guide tells you how to setup a Centos 5.2 server as your Radius "client" and Juniper Steel-Belted as your radius server authentication "server". We are going to use the pam_radius_module from free radius to provide the mechanism of authenticating ssh logins against a radius box.

For this example my environment consists of

A centos 5.2 radius client called "cyclone"
A Steel-Belted Radius server is called "turbo"
A username of dave

Of course you will change these silly names to the hostnames or ip addresses that suit your own setup.

Preparation

We have to to build a radius client module for our centos linux server so some preperation is required on this box to enable us to do that. It isn't as complex as it sounds.

1. Install the correct development tools

Since the pam_radius_auth security module is not available in mighty yum repository we have to make this ourselves using the source files. To do this we need the correct C compiler this can be installed via yum using the following command

yum install gcc-c++

After a little while the C compiler will be installed an ready for use. The next requirement is the pam development module. This is also installed via yum with this command:

yum install pam-devel

2. Download the pam Radius source files.

You need to download the radius pam module here ftp://ftp.freeradius.org/pub/radius/

Choose the file pam_radius-1.3.17.tar.gz

This is done easily via the wget command. So from the centos machine run

wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz

download this to a temporary folder where you can build the software from

I chose a directory called pam under my root users home directory

/root/pam

Once the file is downloaded unzip the file with gunzip

using the command

gunzip /root/pam/pam_radius-1.3.17.tar.gz

untar the file using the command

tar -xvf /root/pam/pam_radius-1.3.17.tar

this should then upack the contents into a directory structure like this

/root/pam/pam_radius-1.3.17

change to this directory and type

make

the system should then compile with something like the following output:


cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o
pam_radius_auth.c: In function âtalk_radiusâ:
pam_radius_auth.c:886: warning: pointer targets in passing argument 6 of ârecvfromâ differ in signedness
pam_radius_auth.c: In function âpam_sm_authenticateâ:
pam_radius_auth.c:1102: warning: assignment from incompatible pointer type
cc -Wall -fPIC -c -o md5.o md5.c
ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so

this should create a file called

pam_radius_auth.so

copy this to the /lib/security/ folder.

Configure the Centos Server to use radius Authentication

1. Create a user you wish to login as on the centos system I am creating one called "dave" fo this example.
useradd -d /home/dave/ dave

NOTE: There is no reason to set a password to this unix user as you will be using your radius account to provide the password.

2. Create the client configuration file folder structure.
Create a directory under the /etc folder called raddb.
So you have a directory path which looks like /etc/raddb
This is done like so
mkdir /etc/raddb

3. Copy the sample client configuration file pam_radius_auth.conf to /etc/raddb/server
This sample file is found in the unarchived folder you downloaded earlier - in my example so I would run.
cp /root/pam/pam_radius-1.3.17/pam_radius_auth.conf /etc/raddb/server

3. Edit the /etc/raddb/server to match the radius server "turbo".

open the /etc/raddb/server in an editor such as vi
Under the section that looks like

# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
other-server other-secret 3

Add a line that represents your radius server. You will need to enter your servers hostname or IP address and a sharesecret that you will need to assign in this file and on your radius server. So make a note of this password.

I am going to add my radius server "turbo" and specify a shared secret of "s3cret" after editing my file looks like this


# server[:port] shared_secret timeout (s)
127.0.0.1 secret 1
turbo s3cret 3

Now edit the /etc/pam.d/sshd file. This file controls the authentication method for sshd service which facilitates SSH logins. We need to tell it to use the /lib/security/pam_radius_auth.so file we created compiled earlier.

Before the top line

auth include system-auth

add this line

auth required pam_radius_auth.so

so the first two lines will look like this


auth sufficient pam_radius_auth.so
auth include system-auth

This will tell the SSH service / daemon to use the radius protocol and server for authentication. By leaving the line

With this configuration the SSHD will also check local system sccount passwords as a fall back. This means you can log in as root or other unix local accounts should your radius server be off line.

NOTE! You are changing the authentication method for logging in to your centos box via SSH. Make sure you can get into it via console (monitor mouse and keyboard) in case this goes wrong and you get locked out of SSH

Configure your Steel Belted Radius Server

1. Setup Cyclone as a radius client

Right "Click Radius Clients"
Click ADD
In the Add RADIUS client window add the IPaddress or hostname of the centos cyclone box and add the shared secret we decided on earlier in this example "s3cret"

2. Add a username on the radius box "turbo"

Right "Click users"
Click Add

Add a native user and set a password.

Test a Logon to the Centos SSH service

Fire up your SSH client

Connect to the box and login as the user and password you set on radius server earlier. In my case "dave"

If it lets you voila job done you have used the radius server to provide SSH authentication. If it doesn't then you might start by looking in the /var/log/secure/file for clues. Also the centos forum is pretty good I often find some helpful people on there - if you are really desperate you can leave a comment here! :)

No comments:

Post a Comment