I am trying to configure MFA on an a domain joined amazon Linux instance through Radius to LinOTP.
I have managed AD, Radius and LinOTP configured and working properly
I followed this documentation to configure the LinOTP and Radius:
https://aws.amazon.com/blogs/desktop...on-workspaces/
I used this to join linux instance to domain:
https://docs.aws.amazon.com/director..._instance.html
On the linux instance i downloaded PAM_Radius
https://github.com/FreeRADIUS/pam_radius
Here are the configuration on the linux:
I added the details of the radius server in the /etc/pam_radius.conf file
The content of the etc/pam.d/sshd file is attached
The highlight of the /etc/ssh/sshd_config is:
- passwordauthentication yes
- challengeresponseauthentication yes
- usepam yes
My problem is when I SSH to the Linux instance, It asks for a password. After I enter my domain password, It asks for the OTP Token and then it goes back to asking for password and so on.
sign in method 1: (FQDN)
I ssh to the instance using:
ssh
username@domain.com @<public Ip address>
Here is what I see in logs:
- Linux instance: /var/log/secure- authentication success
- LinOTP: username not found in realm
- When I look at the radius logs, it seems that the OTP password is not correct since the field user-password would be random characters.
sign in method 2: (without FQDN)
I ssh to the instance using:
ssh username@<public Ip address>
Here is what I see in logs:
- Linux instance: /var/log/secure- invalid user username
- LinOTP: found username
- When I look at the radius logs, it seems that the OTP password is not correct since the field user-password would be random characters.
I need some guidance on how to configure this amazon linux instance using domain credientials to authenticate to managed AD then use OTP(through radius and LinOTP) to do MFA. I appreciate your guidance