Wednesday 24 August 2016

Home » , , » How to Install FreeRadius for SSH Authentication on Centos 6

How to Install FreeRadius for SSH Authentication on Centos 6

By No comments

Install FreeRadius for SSH Authentication (Two-Factor Authentication)


What is FreeRadius?

Radius is a great standard. It is powerful enough to accomplish a great deal and simple enough to be easy to handle. Freeradius is an excellent, open source radius server that ships with many Linux variants. It is well documented and well supported. The WiKID Strong Authentication server is a commercial/open source two-factor authentication system that uses public key encryption to transmit PINs and one-time passcodes securely to software tokens running on Blackberries, cell phones, Palms, PocketPCs or, using the J2SE client, Linux, Macs and Windows PCs. You can think of WiKID like certificates, but without the hassles of white lists/black lists and more secure - because the PIN is validated on the server preventing offline brute-force attacks.



Requirement: 1. 2 CentOS 6 Server (1 for FreeRadius & 1 for SSH Authentication)



Step 1: Stop the IPTables and Selinux, and Update the Date Time on the Servers :


# service iptables stop
# chkconfig iptables off

# vi /etc/sysconfig/selinux

SELINUX=disabled ###(Change enabled to disabled)

--- save & quit (:wq) ---

# service ntpd restart
# ntpdate pool.ntp.org
# chkconfig ntpd on
# init 6

** Configure FreeRadius Server:

Step 2: Install and Configure Radius Server and its Dependencies :


# yum install freeradius freeradius-mysql freeradius-utils mysql-server -y
# service mysqld start

* Set MySQL Root Password by the Following Command:

# mysql_secure_installation

mysql -uroot -p
Enter password:

mysql> CREATE DATABASE radius;
mysql> GRANT ALL PRIVILEGES ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
mysql> flush privileges;
mysql> use radius;
mysql> SOURCE /etc/raddb/sql/mysql/schema.sql;
mysql> \q

* Edit and Check the DB Connection once-

# vi /etc/raddb/sql.conf

### (In Between Line Number 36-42)

# Connection info:
       server = "localhost"
       #port = 3306 login = "radius"
       password = "mypassword"

       # Database table configuration for everything except Oracle
       radius_db = "radius"
 
---- save & quit (:wq) ----

# vi /etc/raddb/radiusd.conf

## Uncomment the Following Line (Line Number 735)

$INCLUDE sql.conf

---- save & quit (:wq) ----

# vi /etc/raddb/sites-available/default

### uncomment the line containing ‘sql’ in theauthorize{} section and ‘sql’ in the accounting {} section, also uncomment ‘sql’ under session{}

### Line Number 177 & Line Number 406


---- save & quit (:wq) ----

# vi /etc/raddb/sites-available/inner-tunnel

### uncomment the line containing ‘sql’ under “authorize {}” and under session {}

## Line Number 132

---- save & quit (:wq) ----

* For change the secret key of the radius server-

# vi /etc/raddb/clients.conf

### Change: secret = testing123 to secret = <your-secret-password>

---- save & quit (:wq) ----

# service radiusd restart

Step 3: Adding Clinets and Users to the Radius Server :


# vi /etc/raddb/clients.conf

client SERVER_IP {
              secret          = YOUR SECRET
              shortname       = yourVPN
 nastype        = other
   }
 
---- save & quit (:wq) ----

# service radiusd restart

# mysql -uroot –p
Enter password:

mysql> use radius;
mysql> INSERT INTO `radcheck` (`username`, `attribute`, `value`) VALUE ('testuser', 'password', 'User_Password');
mysql> \q

* Test the Radius Authentication--

# radtest testuser password localhost 1812 <Radius-Server-Secret-Key>

rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=185, length=20

Step 4: Configure the SSH Server to Connect the Radius Server and Authentication from Radius Server :


# yum -y install pam pam-devel gcc
# cd /tmp
# wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz
# tar zxf pam_radius-1.4.0.tar.gz
# cd pam_radius-1.4.0
# ./configure
# make
# cp pam_radius_auth.so /lib/security/

** Modify the Pam File of sshd and passwd for the Radius Authentication--

# vi /etc/pam.d/sshd

## Add this Line at 2nd Line--

auth sufficient /lib/security/pam_radius_auth.so

---- save & quit (:wq) ----

# vi /etc/pam.d/passwd

## Add the line at 3rd Line--

password sufficient /lib/security/pam_radius_auth.so

---- save & quit (:wq) ----

# vi /etc/ssh/sshd_config

## Change or Uncomment Line Number 48

PubkeyAuthentication no

---- save & quit (:wq) ----

# mkdir /etc/raddb/
# cp /tmp/pam_radius-1.4.0/pam_radius_auth.conf /etc/raddb/server
# vi /etc/raddb/server

## # Radius Server IP address           Secret                                   Timeout
<Radius-Server-IP> <Secret-Key-of-Radius-Server> 10

---- save & quit (:wq) ----

# service sshd restart
# useradd testuser

Note: Which Users will be authenticate from the Radius Server, those users should be there in the Radius Server Database and the User must exist on the SSH Server as well but no password has to be set on the SSH Server for the user, the password will be set at the database of the Radius Server.


** For Example as per the Doc:
user: testuser
pass: User_Password

# ssh testuser@<SSH-Server-IP>
Password: User_Password

** You should able to login now!

Thanks For Visiting on My Blog, For More Tutorials Keep Visiting My Blog.

0 comments:

Post a Comment

Thanks for Visiting the Blog, For more Tutorials keep Visiting the Blog