Overview
A freeradius-pam allows any PAM-capable machine to become a RADIUS client for authentication and accounting requests. You will need a RADIUS server to perform the actual authentication.
To make the AIX pam work we need to setup a pam server. Here we can setup any linux node (Ubuntu/Redhat/Centos).
Installation of pam client
The AIX pam fileset is available on Aix toolbox. To install the pam we can install follow the below steps.
- yum install freeradius-pam
Configuring pam
On the client Node, to configure the client to authenticate with the pam server the corresponding server node details have to be provided in the below file in the required format.
# cat /etc/raddb/server
# radius_server <secret code> <timemout>
9.xx.xx.xxx testing123 60
To enable ssh for pam authentication do the below modifications
# /etc/pam.conf “Add these new lines”
#SSHD
sshd auth sufficient /usr/lib/security/pam_radius_auth.so
sshd account required /usr/lib/security/pam_aix
sshd password required /usr/lib/security/pam_aix
sshd session required /usr/lib/security/pam_aix
# /etc/security/login.cfg “Change the type of auth”
“auth_type = STD_AUTH” to
“auth_type = PAM_AUTH”.
# /etc/ssh/sshd_config “Change the below attributes”
PasswordAuthentication no
PermitEmptyPasswords no
UsePrivilegeSeparation no
ChallengeResponseAuthentication yes
UsePAM yes
Once the above changes are made, restart the sshd service.
stopsrc -s sshd
startsrc -s sshd
Till this point you have done all the required setting on the client node. Now let’s do the configuration on the server node, to accept connections from pam <client-ip-addr>. You need to install the freeradius-pam related packages with the OS specific package managers. Below are the set of packages that you need to install for the pam server.
#Ubuntu packages
sudo apt -y install freeradius freeradius-utils
Once the packages are installed, do the below configuration steps, by adding the client nodes and users.
# provide the client details in the below file
/etc/freeradius/3.0/clients.conf
client <client_name>{
ipaddr = 9.xx.xx.xxx
# This key should be the same that the
# one provide on the client node in
# /etc/raddb/server file
secret = testing123
}
# user details. This will be the login user for ssh
/etc/freeradius/3.0/users
#########################################################
# You should add test accounts to the TOP of this file! #
# See the example user "bob" above. #
#########################################################
sam Cleartext-Password := "sam123"
Framed-Protocol = PPP
# Start the freeRadius pam server. To see all the debug info start it with -X arg and redirect the debug info to a file.
>> freeradius -X &> ~/rad.log &
Once the above settings are done on both the client and server nodes, you are ready to use the ssh to authenticate with the pam server.
Note: Make sure that the user “sam” is created on the client node and a default password is set to it.
It’s your turn now
Start logging into the node using ssh. If the freeradius is started in the debug mode on the server, you can see all the authentication info in the logs. Below is one of the sample logs.
(0) Calling-Station-Id = "9.xx.xx.xxx"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> TRUE
(0) if (&User-Name) {
(0) if (&User-Name =~ / /) {
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@[^@]*@/ ) {
(0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ ) {
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/) {
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./) {
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # if (&User-Name) = notfound
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "sam", looking up realm NULL
(0) suffix: No such realm "NULL"
(0) [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files: users: Matched entry sam at line 227
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = updated
(0) } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(0) post-auth {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(0) update {
(0) No attributes updated for RHS &session-state:
(0) } # update = noop
(0) [exec] = noop
(0) policy remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message) {
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else {
(0) [noop] = noop
(0) } # else = noop
(0) } # policy remove_reply_message_if_eap = noop
(0) } # post-auth = noop
(0) Sent Access-Accept Id 89 from 9.xx.xx.xxx:1812 to 9.xx.xx.xxx:36857 length 0
(0) Framed-Protocol = PPP
(0) Finished request
Waking up in 4.9 seconds.