Authenticating PAM against RADIUS

From FreeAuth Wiki

Jump to: navigation, search

[edit] How to do it?

It is fairly easy to setup PAM to authenticate against RADIUS. These files were originally downloaded from the freeradius site, but wouldn't compile and I wouldn't suggest even bothering to grab them from there.

Instead I've built a tarball that should work on most linux systems and you can download it by the following command. 

wget http://www.freeauth.org/images/pam_radius_auth.tgz

I compiled this module under ubuntu dapper and you may get away with just installing it and so on and so forth. If not simply do the following. 

make clean
make
make install

[edit] Configuration

Once you have got everything ready the PAM configuration is identical to One Time Passwords on Linux, in fact to save duplicating you should visit this page and go to the server installations section, instead of using "pam_mobile_otp.so" use "pam_radius_auth" instead.

One final step you will need to: 

cp pam_radius_auth.conf /etc/raddb/server

Then edit /etc/raddb/server to match your RADIUS server details.

That's about it, unlike the PAM module, the code I've generated to do OTP logins to radius doesn't lock accounts after 5 failed attempts, although I guess we should delay connections but this is something that should occur in SSHd in any case to prevent/slow down brute force attacks.

Retrieved from "http://freeauth.org/wiki/index.php?title=Authenticating_PAM_against_RADIUS"