Centos 7 ssh authenticating with Radius

fatbunny · 08-29-2019, 04:11 AM

Hi,

I'm trying to configure Centos 7 incoming ssh connections to authenticate with Radius. The radius server is configured and working with other Centos 6 clients. This was setup by my predecessor so I don't exactly how they configured the Centos 6 clients.

Installed:
yum install pam_radius
yum install freeradius-client
yum install freeradius-utils
yum install radiusclient-ng

Configured the following
nano /etc/pam_radius_auth.conf

Code:

myradiusserver.com    mysecretkey    3

nano /etc/pam.d/login

Code:

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth sufficient pam_radius_auth.so
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so

nano /etc/pam.d/sshd

Code:

auth       sufficient   /usr/lib64/security/pam_radius_auth.so debug
auth       include      system-auth
account    sufficient   pam_radius_auth.so debug
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    sufficient   /usr/lib64/security/pam_radius_auth.so debug conf=/etc/raddb/server
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

nano /etc/raddb/server

Code:

myradiusserver.com    mysecretkey    3

I don't have a /etc/pam.d/common-auth file.

When I test with
#radtest <username> <password> <myradiusserver.com:1812> <0> <mysecretkey>
it seems to work but I can't log in with ssh

Code:

Sent Access-Request Id 95 from 0.0.0.0:50094 to **.**.**.**:1812 length 78
        User-Name = "******"
        User-Password = "*********"
        NAS-IP-Address = 127.0.0.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        Cleartext-Password = "***********"
Received Access-Accept Id 95 from **.**.**.**:1812 to 0.0.0.0:0 length 20

I'm obviously missing something but can't see what. I have googled but all I can find are tutorials to configure the radius servers not so much the clients.

fatbunny · 08-30-2019, 03:47 AM

Forgot to say I have updated the sshd_config file with

UsePAM yes

tcpdump doesn't show any traffic going to radius server when I try to log in.