Instructions for PAM RADIUS SSH with HYPR

This document will outline the instructions that you should follow for enabling HYPR to work for SSH login using the RADIUS protocol.


  1. You should have a HYPR RADIUS server running as per Setting Up the Radius Server

  2. You should have a HYPR server with a fully configured and tested RP App with out-of-band (OOB) authentication

  3. You should have at least one registered user with whom you can test

Materials Required

  1. Download the FreeRadius PAM authentication module. The most recent version as of the writing of this document can be found here -

  2. A RedHat or CentOS 7+ server or virtual machine with UDP PORT 1812 accessible

a. Make sure to install the required packages by running sudo yum install gcc pam pam-devel make -y


  1. Create a user on the Linux machine with the same name as RP App user:
#Add user
useradd username
#Set password 
passwd username
  1. Go to the /opt/hypr directory on your Linux server

  2. Run “sudo wget” to download the Free Radius PAM module.

  1. Run “tar -xvf <name_of_downloaded_file>.tar.gz” to extract the tar.gz file
  1. Go to the extracted directory and compile the PAM module
cd /opt/hypr/pam_radius-release_<version>/
  1. Run command ./configure so that config.h file gets created for compilation

  2. Compile the module and then copy the file to the proper location on the file system

# Compile the pam radius module using make
sudo make

# For 64 Bit Server
cp /lib64/security

# For 32 Bit Server
cp /lib/security
  1. Modify the system SSHD Config to use PAM

Open the SSHD Configuration

sudo vi /etc/ssh/sshd_config

Modify the file to use the following lines, then save the file:

#Search for ChallengeResponseAuthentication and make sure the line looks like:
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
#Search for UsePAM and make sure the line looks like:
UsePAM yes
  1. Update SSH policy to not using public keys and to use password
sudo vi /etc/ssh/sshd_config
Uncomment PasswordAuthentication to Yes
Comment PasswordAuthentication to No
  1. Restart service by service sshd restart

  2. Configure pam.d to use RADIUS for authentication in a passwordless manner

sudo vi /etc/pam.d/sshd
  • Comment out the "auth substack password-auth" as shown in the image below and save the file.
  • Add the auth required skip_passwd line as shown in the picture below
  1. Create and configure the Free RADIUS server information
# Make the raddb directory and server file
sudo mkdir /etc/raddb
sudo vi /etc/raddb/server

# Edit the file to include the following
# The IP/FQDN should be the URL of your HYPR RADIUS server 
# such as http://<radius_domain>.com and the Secret should be the 
# Secret you want to use with that RADIUS server
# Note: use Private IP address for AWS

#Server     Secret      Timeout
IP/FQDN     MySecret    60
  1. Configure your HYPR RADIUS server to work with the client.

Go to your HYPR RADIUS Server Configuration and click "Add New" Under Client Details.


Enter the IP Address of your RADIUS client and the SECRET you configured in your /etc/raddb/server file and click the plus icon (Note: use Private IP address for AWS)


Finally, press the "Submit and Restart" button at the bottom of the page:

  1. Test your passwordless authentication by doing a "ssh [email protected]" command on a SSH client of your choice.

Authenticate when prompted on your mobile device.


Verify that your SSH login was successful