Instructions for PAM RADIUS SSH with HYPR
This document will outline the instructions that you should follow for enabling HYPR to work for SSH login using the RADIUS protocol.
You should have a HYPR RADIUS server running as per Setting Up the Radius Server
You should have a HYPR server with a fully configured and tested RP App with out-of-band (OOB) authentication
You should have at least one registered user with whom you can test
Download the FreeRadius PAM authentication module. The most recent version as of the writing of this document can be found here.
A RedHat or CentOS 7+ server or virtual machine with UDP PORT 1812 accessible.
Make sure to install the required packages by running:
sudo yum install gcc pam pam-devel make -y
- Create a user on the Linux machine with the same name as RP App user:
#Add user useradd username #Set password passwd username
Go to the
/opt/hyprdirectory on your Linux server.
sudo wget https://github.com/FreeRADIUS/pam_radius/archive/release_1_4_0.tar.gzto download the Free Radius PAM module.
tar -xvf <name_of_downloaded_file>.tar.gzto extract the file.
- Go to the extracted directory and compile the PAM module
Run command ./configure so that config.h file gets created for compilation
Compile the module and then copy the pam_radius_auth.so file to the proper location on the file system
# Compile the pam radius module using make sudo make # For 64 Bit Server cp pam_radius_auth.so /lib64/security # For 32 Bit Server cp pam_radius_auth.so /lib/security
- Modify the system SSHD Config to use PAM. Open the SSHD Configuration:
sudo vi /etc/ssh/sshd_config
- Modify the file to use the following lines, then save the file:
#Search for ChallengeResponseAuthentication and make sure the line looks like: ChallengeResponseAuthentication yes #ChallengeResponseAuthentication no . . #Search for UsePAM and make sure the line looks like: UsePAM yes
- Update the SSH policy to not using public keys and to use password to authenticate.
sudo vi /etc/ssh/sshd_config Uncomment PasswordAuthentication to Yes Comment PasswordAuthentication to No
service sshd restart
pam.dto use RADIUS for authentication in a passwordless manner.
sudo vi /etc/pam.d/sshd
- Comment out
auth substack password-authas shown in the image below, and save the file.
- Add the
auth required pam_radius_auth.so skip_passwdline as shown in the picture below:
- Create and configure the Free RADIUS server information.
# Make the raddb directory and server file sudo mkdir /etc/raddb sudo vi /etc/raddb/server # Edit the file to include the following # The IP/FQDN should be the URL of your HYPR RADIUS server # such as http://<radius_domain>.com and the Secret should be the # Secret you want to use with that RADIUS server # Note: use Private IP address for AWS #Server Secret Timeout IP/FQDN MySecret 60
- Configure your HYPR RADIUS server to work with the client. Go to your HYPR RADIUS Server Configuration and click Add New Under Client Details.
- Enter the IP Address of your RADIUS client and the SECRET you configured in your
/etc/raddb/serverfile and click the plus icon. (Note: Use a Private IP address for AWS.)
- Click Submit and Restart at the bottom of the page:
- Test your passwordless authentication by running the command
ssh [email protected].
- Authenticate when prompted on your mobile device.
- Verify that your SSH login was successful.
Updated 5 days ago