Ubuntu 20 LTS RADIUS Integration

Overview

This article describes the steps needed to integrate Ubuntu logins with RADIUS using RADIUS PAM libraries.

Install RADIUS and PAM Libraries in Ubuntu

sudo apt-get update;
sudo apt-get install freeradius freeradius-utils freeradius-mysql libpam-radius-auth;

Setup RADIUS in Ubuntu

sudo vi /etc/pam_radius_auth.conf;

Add the following lines to the new file:

# SwivelServerIP     Shared Secret       Timeout
192.168.209.35       secret              60

Then copy the RADIUS server profile to a new file, /etc/raddb/server:

sudo mkdir /etc/raddb;
sudo cp /etc/pam_radius_auth.conf /etc/raddb/server;

Setup a RADIUS NAS entry on the Swivel server

_images/2020-12-09_16-49-57.jpg

Use the following settings for a Two Stage Password, then OTC request. Other configurations are available, e.g. Push:

_images/Screenshot_2020-12-09_Sentry_Configuration.png

Enable PAM RADIUS on SSH daemon in Ubuntu

This will just affect SSHD logins. Example login:

_images/2020-12-09_17-09-10.gif

Open sshd_config for editing:

sudo vi /etc/ssh/sshd_config

Modify the existing parameters:

ChallengeResponseAuthentication yes
UsePAM yes

Save and close the file.

Open the pam.d sshd config file for editing:

sudo vi /etc/pam.d/sshd

Make the following modifications. Add the following line:

auth    sufficient      pam_radius_auth.so

..and comment out the @include common-auth line:

#@include common-auth

Which should look something like this:

# PAM configuration for the Secure Shell service
auth    sufficient      pam_radius_auth.so
# Standard Un*x authentication.
#@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

Restart the SSHD service:

sudo service ssh restart

Enable PAM RADIUS on all credential prompts in Ubuntu

This will affect sudo and desktop logins. Example login:

_images/2020-12-09_17-07-18.gif

Open the pam.d common-auth config file for editing:

sudo vim /etc/pam.d/common-auth

Append the following line to the file:

auth    required                        /usr/lib/security/pam_radius_auth.so

Known Issues

Warning

In the above example, Two Stage RADIUS will transmit the password via UDP protocol with MD5 encoding. Also on the Linux host, PAM RADIUS has publicly known memory leak issues which may be considered a security risk.