Instructions for PAM RADIUS SSH with HYPR

Extensions: RADIUS

This document will outline the instructions that you should follow for enabling HYPR to work for SSH login using the RADIUS protocol.


  1. You should have a HYPR RADIUS server running as per Setting Up the Radius Server

  2. You should have a HYPR server with a fully configured and tested RP App with out-of-band (OOB) authentication

  3. You should have at least one registered user with whom you can test

Materials Required

  1. Download the FreeRadius PAM authentication module. The most recent version as of the writing of this document can be found here.

  2. A RedHat or CentOS 7+ server or virtual machine with UDP PORT 1812 accessible.

  3. Make sure to install the required packages by running:
    sudo yum install gcc pam pam-devel make -y


  1. Create a user on the Linux machine with the same name as RP App user:
#Add user
useradd username
#Set password 
passwd username
  1. Go to the /opt/hypr directory on your Linux server.

  2. Run sudo wget to download the Free Radius PAM module.

  1. Run tar -xvf <name_of_downloaded_file>.tar.gz to extract the file.
  1. Go to the extracted directory and compile the PAM module
cd /opt/hypr/pam_radius-release_<version>/
  1. Run command ./configure so that config.h file gets created for compilation

  2. Compile the module and then copy the file to the proper location on the file system

# Compile the pam radius module using make
sudo make

# For 64 Bit Server
cp /lib64/security

# For 32 Bit Server
cp /lib/security
  1. Modify the system SSHD Config to use PAM. Open the SSHD Configuration:
sudo vi /etc/ssh/sshd_config
  1. Modify the file to use the following lines, then save the file:
#Search for ChallengeResponseAuthentication and make sure the line looks like:
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
#Search for UsePAM and make sure the line looks like:
UsePAM yes
  1. Update the SSH policy to not using public keys and to use password to authenticate.
sudo vi /etc/ssh/sshd_config
Uncomment PasswordAuthentication to Yes
Comment PasswordAuthentication to No
  1. Restart: service sshd restart
  2. Configure pam.d to use RADIUS for authentication in a passwordless manner.
sudo vi /etc/pam.d/sshd
  • Comment out auth substack password-auth as shown in the image below, and save the file.
  • Add the auth required skip_passwd line as shown in the picture below:
  1. Create and configure the Free RADIUS server information.
# Make the raddb directory and server file
sudo mkdir /etc/raddb
sudo vi /etc/raddb/server

# Edit the file to include the following
# The IP/FQDN should be the URL of your HYPR RADIUS server 
# such as http://<radius_domain>.com and the Secret should be the 
# Secret you want to use with that RADIUS server
# Note: use Private IP address for AWS

#Server     Secret      Timeout
IP/FQDN     MySecret    60
  1. Configure your HYPR RADIUS server to work with the client. Go to your HYPR RADIUS Server Configuration and click Add New Under Client Details.
  1. Enter the IP Address of your RADIUS client and the SECRET you configured in your /etc/raddb/server file and click the plus icon. (Note: Use a Private IP address for AWS.)
  1. Click Submit and Restart at the bottom of the page:
  1. Test your passwordless authentication by running the command ssh [email protected].
  1. Authenticate when prompted on your mobile device.
  1. Verify that your SSH login was successful.