Configuring Radius Authentication on Linux

  • Post by Mike Dixson
  • Sep 02, 2014
post-thumb
  1. Install libpam-radius-auth
    sudo apt-get install libpam-radius-auth
  2. Configure libpam-radius-auth with your radius servers and secrets
    sudo pico /etc/pam_radius_auth.conf
  3. Set permissions on /etc/pam_radius_auth.conf
    sudo chmod 0600 /etc/pam_radius_auth.conf
  4. Add auth sufficient pam_radius_auth.so to /etc/pam.d/login and then the following as desired just above the line reading @include common-auth
    /etc/pam.d/sshd<br /> /etc/pam.d/sudo<br /> /etc/pam.d/su
  5. Add try_first_pass to auth line in /etc/pam.d/common-auth
    auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
  6. Make user locally with disabled password
    sudo useradd -m USERNAME
    or to add a user and add to the sudo group
    sudo useradd -m -G sudo USERNAME

Ta Da!

The one caveat that I’ve found with this is that when logging in with local users to the local console you are prompted for a password twice, this is fixed via step 5 but note that if you run pam-auth-update this change will be overwritten.

LATEST POST
  • Post By Mike Dixson
  • Nov 17, 2020
Using MFA for Sudo Only
  • Post By Mike Dixson
  • Jul 25, 2020
Fixed: Obelisk not working in Ableton Live
  • Post By Mike Dixson
  • Jun 15, 2020
BYOBU files being flagged by rkhunter
TAG