Instructions for PAM RADIUS SSH with HYPR

This document will outline the instructions that you should follow for enabling HYPR to work for SSH login using the RADIUS protocol.

Prerequisites

  1. You should have a HYPR RADIUS server running as per Setting Up the Radius Server

  2. You should have a HYPR server with a fully configured and tested RP App with out-of-band (OOB) authentication

  3. You should have at least one registered user with whom you can test

Materials Required

  1. Download the FreeRadius PAM authentication module. The most recent version as of the writing of this document can be found here - https://github.com/FreeRADIUS/pam_radius/archive/release_1_4_0.tar.gz

  2. A RedHat or CentOS 7+ server or virtual machine with UDP PORT 1812 accessible

a. Make sure to install the required packages by running sudo yum install gcc pam pam-devel make -y

Instructions

  1. Create a user on the Linux machine with the same name as RP App user:
#Add user
useradd username
#Set password 
passwd username
  1. Go to the /opt/hypr directory on your Linux server

  2. Run “sudo wget https://github.com/FreeRADIUS/pam_radius/archive/release_1_4_0.tar.gz” to download the Free Radius PAM module.

16701670
  1. Run “tar -xvf <name_of_downloaded_file>.tar.gz” to extract the tar.gz file
960960
  1. Go to the extracted directory and compile the PAM module
cd /opt/hypr/pam_radius-release_<version>/
  1. Run command ./configure so that config.h file gets created for compilation

  2. Compile the module and then copy the pam_radius_auth.so file to the proper location on the file system

# Compile the pam radius module using make
sudo make

# For 64 Bit Server
cp pam_radius_auth.so /lib64/security

# For 32 Bit Server
cp pam_radius_auth.so /lib/security
14161416
  1. Modify the system SSHD Config to use PAM

Open the SSHD Configuration

sudo vi /etc/ssh/sshd_config

Modify the file to use the following lines, then save the file:

#Search for ChallengeResponseAuthentication and make sure the line looks like:
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
.
.
#Search for UsePAM and make sure the line looks like:
UsePAM yes
13961396
  1. Update SSH policy to not using public keys and to use password
sudo vi /etc/ssh/sshd_config
Uncomment PasswordAuthentication to Yes
Comment PasswordAuthentication to No
501501
  1. Restart service by service sshd restart

  2. Configure pam.d to use RADIUS for authentication in a passwordless manner

sudo vi /etc/pam.d/sshd
  • Comment out the "auth substack password-auth" as shown in the image below and save the file.
  • Add the auth required pam_radius_auth.so skip_passwd line as shown in the picture below
14161416
  1. Create and configure the Free RADIUS server information
# Make the raddb directory and server file
sudo mkdir /etc/raddb
sudo vi /etc/raddb/server

# Edit the file to include the following
# The IP/FQDN should be the URL of your HYPR RADIUS server 
# such as http://<radius_domain>.com and the Secret should be the 
# Secret you want to use with that RADIUS server
# Note: use Private IP address for AWS

#Server     Secret      Timeout
IP/FQDN     MySecret    60
  1. Configure your HYPR RADIUS server to work with the client.

Go to your HYPR RADIUS Server Configuration and click "Add New" Under Client Details.

14161416

Enter the IP Address of your RADIUS client and the SECRET you configured in your /etc/raddb/server file and click the plus icon (Note: use Private IP address for AWS)

14161416

Finally, press the "Submit and Restart" button at the bottom of the page:

452452
  1. Test your passwordless authentication by doing a "ssh [email protected]" command on a SSH client of your choice.
14161416

Authenticate when prompted on your mobile device.

794794

Verify that your SSH login was successful