SSH with Radius Authentication

 



For the development of this article, we assume a few conditions:


  • Connectivity between the Linux client and the Radius Server 
  • The Radius server was implemented following the previous entry 

Lab info:

Radius: 172.20.0.3/26
Nas Secret:  SecretSecurekey
Nas IP: 172.20.0.0//26
Client:  172.20.0.13/26

Client-side: 

Create the local user; in this case, the local user doesn't have a valid local password enabling only a remote authentication process for this user: 

adduser administrator001 --home /home/radius/ --shell /bin/bash --disabled-password --system --gid 1000



We must add in the client the libraries necessary to enable the authentication to the radius server:
sudo apt install libpam-radius-auth


Adding the radius IP and the shared secret to the client configuration
nano /etc/pam_radius_auth.conf



Add the modifications for the authentication with PAM module
auth sufficient pam_radius_auth.so
#@include common-auth





Restart the ssh service to reload with the new configuration 
systemctl restart sshd

Now we need to configure from the Daloradius-side the user and password 


A simple test to check is requesting access from an ssh client:



The Radius user becomes a single point of failure because if the radius service is down, the authentication for this user will be incomplete  



If you disable the user from the interface of the Daloradius, you will be able to disable the remote authentication of the user in the ssh client






Conclusion: Radius authentication was enabled to centralize the authentication process by ssh. The bottleneck will be possible to delete with the inclusion of an HA Radius service to reduce the possibilities of a failure in the authentication process. The cleartext password could be a security issue that needs to be analyzed deeply. 

Post a Comment

0 Comments