This document will outline the instructions that you should follow for enabling HYPR to work for SSH login using the RADIUS protocol.
You should have a HYPR RADIUS server running as per Setting Up the Radius Server
You should have a HYPR server with a fully configured and tested RP App with out-of-band (OOB) authentication
You should have at least one registered user with whom you can test
Download the FreeRadius PAM authentication module. The most recent version as of the writing of this document can be found here - https://github.com/FreeRADIUS/pam_radius/archive/release_1_4_0.tar.gz
A RedHat or CentOS 7+ server or virtual machine with UDP PORT 1812 accessible
a. Make sure to install the required packages by running sudo yum install gcc pam pam-devel make -y
- Create a user on the Linux machine with the same name as RP App user:
#Add user useradd username #Set password passwd username
Go to the /opt/hypr directory on your Linux server
Run “sudo wget https://github.com/FreeRADIUS/pam_radius/archive/release_1_4_0.tar.gz” to download the Free Radius PAM module.
- Run “tar -xvf <name_of_downloaded_file>.tar.gz” to extract the tar.gz file
- Go to the extracted directory and compile the PAM module
Run command ./configure so that config.h file gets created for compilation
Compile the module and then copy the pam_radius_auth.so file to the proper location on the file system
# Compile the pam radius module using make sudo make # For 64 Bit Server cp pam_radius_auth.so /lib64/security # For 32 Bit Server cp pam_radius_auth.so /lib/security
- Modify the system SSHD Config to use PAM
Open the SSHD Configuration
sudo vi /etc/ssh/sshd_config
Modify the file to use the following lines, then save the file:
#Search for ChallengeResponseAuthentication and make sure the line looks like: ChallengeResponseAuthentication yes #ChallengeResponseAuthentication no . . #Search for UsePAM and make sure the line looks like: UsePAM yes
- Update SSH policy to not using public keys and to use password
sudo vi /etc/ssh/sshd_config Uncomment PasswordAuthentication to Yes Comment PasswordAuthentication to No
Restart service by service sshd restart
Configure pam.d to use RADIUS for authentication in a passwordless manner
sudo vi /etc/pam.d/sshd
- Comment out the "auth substack password-auth" as shown in the image below and save the file.
- Add the auth required pam_radius_auth.so skip_passwd line as shown in the picture below
- Create and configure the Free RADIUS server information
# Make the raddb directory and server file sudo mkdir /etc/raddb sudo vi /etc/raddb/server # Edit the file to include the following # The IP/FQDN should be the URL of your HYPR RADIUS server # such as http://<radius_domain>.com and the Secret should be the # Secret you want to use with that RADIUS server # Note: use Private IP address for AWS #Server Secret Timeout IP/FQDN MySecret 60
- Configure your HYPR RADIUS server to work with the client.
Go to your HYPR RADIUS Server Configuration and click "Add New" Under Client Details.
Enter the IP Address of your RADIUS client and the SECRET you configured in your /etc/raddb/server file and click the plus icon (Note: use Private IP address for AWS)
Finally, press the "Submit and Restart" button at the bottom of the page:
- Test your passwordless authentication by doing a "ssh [email protected]" command on a SSH client of your choice.
Authenticate when prompted on your mobile device.
Verify that your SSH login was successful
Updated about 2 years ago