Introduction
This document describes how to integrate PAM with a Mideye Server. This can be used for two-factor authentication with SSH login.
Prerequisites & general issues
A Mideye Server (any release). If there is a firewall between the Linux server and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). The Linux server acts as a RADIUS client towards the Mideye Server. Hence, the Linux server must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.
Integration steps
Install packages
Run the following commands to install the packages:yum -y install epel-release
and
yum -y install pam_radius
Configure pam_radius.conf
Use your favourite text editor and add the information of the Mideye Server to the file
/etc/pam_radius.conf
in the following format:<Mideye Server IP-address> <shared secret> <timeout in seconds>
note that the timeout should be set to 35 seconds.
example:10.10.20.30 supersecretsecret 35
Save the changes.
Configure sshd
Edit the file
/etc/pam.d/sshd
Add “pam_radius_auth.so” with the optional string “client_id=”. The value of client_id will be sent as NAS-ID to the Mideye Server, which can use it to define the Linux server.
In this example the NAS-ID will be “LinuxPAM”.auth sufficient pam_radius_auth.so client_id=LinuxPAM
The line should be added after “pam_sepermit.so”#%PAM-1.0
auth required pam_sepermit.so
auth sufficient pam_radius_auth.so client_id=LinuxPAM
auth substack password-auth
auth include postlogin
…
Save the changes.
Configure sshd_config
Challenge response authentication needs to be allowed. Edit
/etc/ssh/sshd_config
and change to the following configuration:ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
Save the changes.
Restart SSH service
Run the following command to restart the SSH service:systemctl restart sshd
Adding users
The credentials for the users logging in are managed either in the Mideye Server database or LDAP, but a username needs to be added in the Linux server as well. If the username in LDAP is testuser@company.com, just add testuser to the machine with the following command.adduser testuser
Do NOT set a password for the user, the password in the Mideye Server database or LDAP will be used.
Now everything is configured in the Linux server. If the Mideye Server is configured as well, the SSH login will now prompt for two-factor authentication.
Add the Linux server as a RADIUS client in the Mideye Server
See section RADIUS clients in the reference guide.
Troubleshoot
Check RADIUS-logs
Check if anything is written to the Mideye RADIUS logs. These can be found in:
Mideye Server\log\radius-messages.log
If nothing is logged, verify that udp/1812 is allowed between your Linux Server and Mideye Server.
Contact Mideye support
For further support please contact Mideye support, support@mideye.com, +46854514750.