Hello!
I try to authenticate ssh users locally via PAM using FreeRadius. So the configuration files for radius server and radius client are stored at the same machine.
On my CentOS v5.50, I have the following setup:
In /usr/local/etc/raddb/radiusd.conf:
Code:
modules {
...
pam {
pam_auth = radiusd
}
}
In /usr/local/etc/raddb/users:
Code:
sshuser Cleartext-Password := "hello", Auth-Type := Pam, NAS-IP-Address == 127.0.0.1
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 127.0.0.1,
Framed-IP-Netmask = 255.255.255.0,
Framed-Routing = Broadcast-Listen,
Framed-Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobsen-TCP-IP
In /usr/local/etc/raddb/clients.conf:
Code:
client localhost {
ipaddr = 127.0.0.1
secret = testing123
}
In /usr/local/etc/raddb/pam_radius_auth.conf and servers.conf
Code:
# server[:port] shared_secret timeout (s)
127.0.0.1 testing123 1
other-server other-secret 3
In /usr/local/etc/raddb/sites-available/default:
Code:
authenticate {
...
pam
}
In /etc/pam.d/radiusd:
Code:
#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so
auth required /lib/security/pam_unix_auth.so shadow md5 nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_unix_passwd.so shadow md5 nullok use_authok
session required /lib/security/pam_unix_session.so
In /etc/pam.d/sshd:
Code:
#%PAM-1.0
auth sufficient pam_radius_auth.so debug
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
In /etc/sshd/sshd_config:
Code:
...
UsePAM yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
In /etc/passwd:
Code:
sshuser::636:636::/home/sshuser:/bin/bash
When I run the radius server, it is ok. i.e.
/usr/local/sbin/radiusd -X
However, when I try to ssh locally, it seems that it acts as normal ssh login (not via PAM). i.e.
ssh sshuser@127.0.0.1
Please could you tell me what steps I am missing?
Thanks!!!