[SOLVED] Integrating PAM into SSH

chesschi · 08-02-2011, 04:44 AM

Hello!

I try to authenticate ssh users locally via PAM using FreeRadius. So the configuration files for radius server and radius client are stored at the same machine.

On my CentOS v5.50, I have the following setup:

In /usr/local/etc/raddb/radiusd.conf:

Code:

modules { 
  ... 
  pam { 
    pam_auth = radiusd 
  } 
}

In /usr/local/etc/raddb/users:

Code:

sshuser Cleartext-Password := "hello", Auth-Type := Pam, NAS-IP-Address == 127.0.0.1 
  Service-Type = Framed-User, 
  Framed-Protocol = PPP, 
  Framed-IP-Address = 127.0.0.1, 
  Framed-IP-Netmask = 255.255.255.0, 
  Framed-Routing = Broadcast-Listen, 
  Framed-Filter-Id = "std.ppp", 
  Framed-MTU = 1500, 
  Framed-Compression = Van-Jacobsen-TCP-IP

In /usr/local/etc/raddb/clients.conf:

Code:

client localhost { 
  ipaddr = 127.0.0.1 
  secret = testing123 
}

In /usr/local/etc/raddb/pam_radius_auth.conf and servers.conf

Code:

# server[:port] shared_secret      timeout (s)
127.0.0.1       testing123         1
other-server    other-secret       3

In /usr/local/etc/raddb/sites-available/default:

Code:

authenticate { 
  ... 
  pam 
}

In /etc/pam.d/radiusd:

Code:

#%PAM-1.0 
auth            sufficient      /lib/security/pam_radius_auth.so 
auth            required        /lib/security/pam_unix_auth.so shadow md5 nullok 
auth            required        /lib/security/pam_nologin.so 
account         required        /lib/security/pam_unix_acct.so 
password        required        /lib/security/pam_cracklib.so 
password        required        /lib/security/pam_unix_passwd.so shadow md5 nullok use_authok 
session         required        /lib/security/pam_unix_session.so

In /etc/pam.d/sshd:

Code:

#%PAM-1.0 
auth       sufficient   pam_radius_auth.so debug 
auth       include      system-auth 
account    required     pam_nologin.so 
account    include      system-auth 
password   include      system-auth 
session    optional     pam_keyinit.so force revoke 
session    include      system-auth 
session    required     pam_loginuid.so

In /etc/sshd/sshd_config:

Code:

... 
UsePAM yes 
ChallengeResponseAuthentication yes 
PasswordAuthentication yes

In /etc/passwd:

Code:

sshuser::636:636::/home/sshuser:/bin/bash

When I run the radius server, it is ok. i.e.
/usr/local/sbin/radiusd -X

However, when I try to ssh locally, it seems that it acts as normal ssh login (not via PAM). i.e.
ssh sshuser@127.0.0.1

Please could you tell me what steps I am missing?

Thanks!!!

anomie · 08-02-2011, 01:52 PM

PAM support is compiled into sshd(8) by default on CentOS5. If there's any doubt, try:

Code:

$ ldd /usr/sbin/sshd | grep pam

Which leaves us with a (likely) configuration problem. Check /var/log/secure and /var/log/messages for clues.

chesschi · 08-04-2011, 03:12 AM

Thanks anomie.

Quote:

Originally Posted by anomie

Check /var/log/secure and /var/log/messages for clues.

I found from the log that SSH cannot locate /etc/raddb/server file. It is because FreeRadius and SSH are installed into two different directories (i.e. /etc prefix and /usr/local/etc prefix respectively). I reconfigure the module and install them on /etc prefix and it works!