- Install libpam-radius-auth
sudo apt-get install libpam-radius-auth - Configure libpam-radius-auth with your radius servers and secrets
sudo pico /etc/pam_radius_auth.conf - Set permissions on /etc/pam_radius_auth.conf
sudo chmod 0600 /etc/pam_radius_auth.conf - Add
auth sufficient pam_radius_auth.soto/etc/pam.d/loginand then the following as desired just above the line reading @include common-auth/etc/pam.d/sshd<br /> /etc/pam.d/sudo<br /> /etc/pam.d/su - Add try_first_pass to auth line in /etc/pam.d/common-auth
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass - Make user locally with disabled password
sudo useradd -m USERNAME
or to add a user and add to the sudo groupsudo useradd -m -G sudo USERNAME
Ta Da!
The one caveat that I’ve found with this is that when logging in with local users to the local console you are prompted for a password twice, this is fixed via step 5 but note that if you run pam-auth-update this change will be overwritten.
