Pam Linux
Add Linux Machine as RADIUS client in the Mideye Server¶
See section RADIUS clients in the reference guide.
Integration steps¶
Install packages¶
Run the following commands to install the packages:
Configure pam_radius.conf¶
Use your favourite text editor and add the information of the Mideye Server to the file /etc/pam_radius.conf
in the following format:
<Mideye Server IP-address> <shared secret> <timeout in seconds>
note that the timeout should be set to 35 seconds.
example:
10.10.20.30 supersecretsecret 35
Save the changes.
Configure sshd¶
Edit the file: /etc/pam.d/sshd
In this example the NAS-ID will be “LinuxPAM”.
auth sufficient pam_radius_auth.so client_id=LinuxPAM
The line should be added after “pam_sepermit.so”
#%PAM-1.0
auth required pam_sepermit.so
auth sufficient pam_radius_auth.so client_id=LinuxPAM
auth substack password-auth
auth include postlogin
...
Save the changes.
Configure sshd_config¶
Challenge response authentication needs to be allowed. Edit /etc/ssh/sshd_config and change to the following configuration:
Save the changes.
Restart SSH service¶
Run the following command to restart the SSH service:
systemctl restart sshd
Adding users¶
The credentials for the users logging in are managed either in the Mideye Server database or LDAP, but a username needs to be added in the Linux server as well. If the username in LDAP is testuser@company.com, just add testuser to the machine with the following command.
adduser testuser
Do NOT set a password for the user, the password in the Mideye Server database or LDAP will be used.
Now everything is configured in the Linux server. If the Mideye Server is configured as well, the SSH login will now prompt for two-factor authentication.