# sshd & radius

## pinion

I would like to authenticate my gentoo servers to a Radius server (for ssh & console logins).  Does anyone know how to do this?  There used to be a radius PAM module, but it looks like that was removed.  Is there a feature I'm missing?  I searched for any howto's and didn't come up with anything aside from the pam_radius module.  Thanks in advance for the help   :Wink: 

After looking at the USE flags for pam, I noticed that pwdb installs the pam_radius.so module.  Now I just need to figure out what to do with it.  I created a NAS entry for the gentoo server on my radius server (Cisco ACS).  I just need to know where to configure my radius secret on the gentoo server and if any other packages need to be emerged (suc as a radius client).  Any help or links is much appreciated.  The only links I am finding pertain to pam_radius_auth.so (not pam_radius.so).

----------

## pinion

To get the pam_radius module installed I added the "pwdb" USE flag to my /etc/portage/packages.use file and emerged pam.  I did some reading on pam (http://devmanual.gentoo.org/tasks-reference/pam/index.html) and modified my /etc/pam.d/sshd file:

```

auth       optional     pam_radius.so   conf=/etc/radius.conf

password   optional     pam_radius.so   conf=/etc/radius.conf

session    optional     pam_radius.so   conf=/etc/radius.conf

auth       required     pam_shells.so

auth       required     pam_nologin.so

auth       include      system-auth

account    include      system-auth

password   include      system-auth

session    include      system-auth

```

As well as created a /etc/radius.conf file:

```

auth            10.97.26.10             linacsP@$$              3

acct            10.97.26.10             linacsP@$$              3

```

But I am getting the following error now:

/var/log/syslog:

```

Oct 28 07:21:21 phaz-mon-02 sshd[16431]: PAM unable to resolve symbol: pam_sm_authenticate

Oct 28 07:21:21 phaz-mon-02 sshd[16431]: PAM unable to resolve symbol: pam_sm_setcred

Oct 28 07:21:21 phaz-mon-02 sshd[16431]: PAM unable to resolve symbol: pam_sm_chauthtok

Oct 28 07:21:21 phaz-mon-02 sshd[16431]: Failed publickey for test from 10.97.19.255 port 34852 ssh2

Oct 28 07:21:25 phaz-mon-02 sshd(pam_unix)[16436]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.97.19.255  user=test

Oct 28 07:21:28 phaz-mon-02 sshd[16431]: error: PAM: Authentication failure for test from 10.97.19.255

Oct 28 07:21:28 phaz-mon-02 sshd[16431]: Failed keyboard-interactive/pam for test from 10.97.19.255 port 34852 ssh2

```

I have tried modifying /etc/pam.d/sshd turning off auth/password/session for the pam_radius module to get different error messages, but they all produce the same errors in my error log.  I have also tried re-emerging pam and running revdep-rebuild.

Does anyone have any insight to what I am doing wrong?

----------

## pinion

I gave up trying to get the included pam_radius.so module to work with pam-0.78.  So, I emergeed the pam-0.99 which no longer has the pwdb USE flag or the pam_radius.so module.  Details on the changes to the PAM ebuild: http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml.  So to get this working I downloaded and manually installed the pam_radius.auth.so module from http://www.freeradius.org/pam_radius_auth/ (make the module and copy it into the /lib/security/ folder).  I have authentication working against my radius server, however I am unable to change passwords.  I modified the /etc/pam.d/passwd file:

```

auth       sufficient   pam_radius_auth.so     conf=/etc/pam_radius.conf

account    sufficient   pam_radius_auth.so     conf=/etc/pam_radius.conf

password   sufficient   pam_radius_auth.so     conf=/etc/pam_radius.conf

session    sufficient   pam_radius_auth.so     conf=/etc/pam_radius.conf

auth       include      system-auth

account    include      system-auth

password   include      system-auth

```

And it authenticates to radius when I change my password, but fails:

```

$ passwd

Password: 

New password: 

New password (again): 

passwd: Authentication service cannot retrieve authentication info

$

```

Also, I would like portage to manage my library instead of me manually installing the freeradius library.  Does anyone know if this is included with another package or if there is a use flag to install it?  An overlay perhaps?  I don't like manually installing anything or creating ebuilds that aren't apart of the portage tree.  Also, does anyone have any insight to getting passwd to work with radius?  I made sure it is passing on the radius side of things.  Any help is much appreciated.

----------

## serial_penguin

I'm interested in getting pam_radius working as well, particularly with pam-0.99.8.1-r1. I wasn't aware that pam_radius was available with pam-0.78-r5 so I used the following ebuild (pam_radius-1.3.17.ebuild)

```

# Copyright 1999-2007 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: $

DESCRIPTION="PAM to RADIUS authentication module"

HOMEPAGE="http://www.freeradius.org"

SRC_URI="ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz"

SLOT="0"

LICENSE="GPL-2"

KEYWORDS="~amd64"

DEPEND="sys-libs/pam"

S=${WORKDIR}/pam_radius-1.3.17

src_compile() {

        emake || die

}

src_install () {

    install -d ${D}/lib/security

        install -g root -o root -m 700 -d ${D}/etc/raddb

    install -g root -o root -m 755 pam_radius_auth.so ${D}/lib/security

        install -g root -o root -m 600 pam_radius_auth.conf ${D}/etc/raddb/server

        dodoc Changelog INSTALL LICENSE README TODO USAGE

        dohtml index.html

}

```

and put it in my portage overlay. Of course, I have to maintain it. pam_radius seems to work just fine with pam-0.78-r5 on my amd64 machine. The installed pam_radius is preventing the upgrade of pam, which was probably good since it would have probably hosed my system if the upgrade had completed. I hadn't read all I should have before the attempted upgrade. My question is how to get pam_radius working after I remove it and then upgrade? Will the existing pam_radius recompile and work with the new pam? One must tread gently here.

----------

## pinion

Thanks for the code for the ebuild.  I will stick that in my overlay and reinstall it when I get a chance.

To get sshd to work with PAM once PAM is installed, you need to:

1. Create a config file to store the radius information (such as /etc/radius_pam.conf):

```

#Radius-server          shared-secret           number-of-retries

127.0.0.1               supersecuresecret       0

```

I do not believe DNS entries will work here, and of course use a more secure passphrase (http://grc.com/passwords)

2. Modify your sshd PAM config file (/etc/pam.d/sshd):

```

auth       sufficient   pam_radius_auth.so     conf=/etc/radius_pam.conf

account    sufficient   pam_radius_auth.so     conf=/etc/radius_pam.conf

password   sufficient   pam_radius_auth.so     conf=/etc/radius_pam.conf

session    sufficient   pam_radius_auth.so     conf=/etc/radius_pam.conf

auth       required     pam_shells.so

auth       required     pam_nologin.so

auth       include      system-auth

account    include      system-auth

password   include      system-auth

session    include      system-auth

```

Change the conf option to point to your config file.

3. Create an entry on your radius server (Cisco ACS in my case)

For the cisco ACS 3.3.3:

```

Click on "Network Configuration"

If you have defined groups click on the appropriate group

Click on "Add Entry"

Fill out the form being sure to enter the IP address for the gentoo box, the passphrase used earlier, and RADIUS-IETF

Click on "Submit And Restart"

```

4. Create a user on the gentoo box that will be using PAM:

```

sudo groupadd radiususer

sudo useradd -g radiususer -G adm -m radiususer

```

You should be able to ssh into the server using your radius credentials.  If you have any problems, be sure to check the error logs for PAM (/var/log/syslog for PAM-0.99) and on the radius server.

----------

