For the development of this article, we assume a few conditions:
- Connectivity between the Linux client and the Radius Server
- The Radius server was implemented following the previous entry
Lab info:
Radius: 172.20.0.3/26
Nas Secret: SecretSecurekey
Nas IP: 172.20.0.0//26
Client: 172.20.0.13/26
Client-side:
Create the local user; in this case, the local user doesn't have a valid local password enabling only a remote authentication process for this user:
adduser administrator001 --home /home/radius/ --shell /bin/bash --disabled-password --system --gid 1000
We must add in the client the libraries necessary to enable the authentication to the radius server:
sudo apt install libpam-radius-auth
Adding the radius IP and the shared secret to the client configuration
nano /etc/pam_radius_auth.conf
Add the modifications for the authentication with PAM module
auth sufficient pam_radius_auth.so#@include common-auth
Restart the ssh service to reload with the new configuration
systemctl restart sshd
Now we need to configure from the Daloradius-side the user and password
A simple test to check is requesting access from an ssh client:
The Radius user becomes a single point of failure because if the radius service is down, the authentication for this user will be incomplete
If you disable the user from the interface of the Daloradius, you will be able to disable the remote authentication of the user in the ssh client
Conclusion: Radius authentication was enabled to centralize the authentication process by ssh. The bottleneck will be possible to delete with the inclusion of an HA Radius service to reduce the possibilities of a failure in the authentication process. The cleartext password could be a security issue that needs to be analyzed deeply.
0 Comments