At my workplace, we're running freeradius on a Ubuntu server to authenticate our Cisco equipment (which works great.) We're now trying to use the same server to authenticate our other Linux servers as well, so that we can use the radius server as a centralized user repository and log access attempts.

I have a test server which is setup as a radius client. In other words: client SSH's to test server, which sends a radius authentication request to the radius server, which sends approval, and the client logs on to the test server.

The problem has to do with passwords: this only works if there is a local user account on the test server with the same password as exists on the radius server.

What I want to do here is have it set up so that if the radius server approves the connection, the user is logged in on the target system, even if the passwords don't match.

The references I've found online suggest having the local user account setup with a blank password, but I manually edited /etc/shadow and deleted the (encrypted) password for a test user and it didn't make a difference.

/etc/pam.d/sshd contains:

I haven't changed anything in /etc/pam.d/

To sum up: does anyone know how to set it up so that any user approved by radius to complete the ssh session can log in, regardless of the local user password?

Any suggestions are most appreciated! TIA.

Well, I figured this out over the weekend, so I thought I'd post for the benefit of anyone else trying to do this.

The trick is commenting out "@include common-auth" in /etc/pam.d/sshd:

That means that the system will not check against the local password database; if radius says the user is in, he or she is in.

Hopefully that's helpful to someone else down the road....