PAM Linux

Introduction

This document describes how to integrate PAM with a Mideye Server. This can be used for two-factor authentication with SSH login.

Prerequisites & general issues

A Mideye Server (any release). If there is a firewall between the Linux server and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). The Linux server acts as a RADIUS client towards the Mideye Server. Hence, the Linux server must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.

Integration steps

Install packages

Run the following commands to install the packages:
yum -y install epel-release
and
yum -y install pam_radius

Configure pam_radius.conf

Use your favourite text editor and add the information of the Mideye Server to the file
/etc/pam_radius.conf

in the following format:
<Mideye Server IP-address> <shared secret> <timeout in seconds>

note that the timeout should be set to 35 seconds.

example:
10.10.20.30 supersecretsecret 35

Save the changes.

Configure sshd

Edit the file
/etc/pam.d/sshd

Add “pam_radius_auth.so” with the optional string “client_id=”. The value of client_id will be sent as NAS-ID to the Mideye Server, which can use it to define the Linux server.

In this example the NAS-ID will be “LinuxPAM”.
auth  sufficient  pam_radius_auth.so client_id=LinuxPAM

The line should be added after “pam_sepermit.so”
#%PAM-1.0
auth required pam_sepermit.so
auth   sufficient pam_radius_auth.so client_id=LinuxPAM
auth    substack    password-auth
auth    include      postlogin
…

Save the changes.

Configure sshd_config

Challenge response authentication needs to be allowed. Edit
/etc/ssh/sshd_config 
and change to the following configuration:
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no

Save the changes.

Restart SSH service

Run the following command to restart the SSH service:
systemctl restart sshd

Adding users

The credentials for the users logging in are managed either in the Mideye Server database or LDAP, but a username needs to be added in the Linux server as well. If the username in LDAP is testuser@company.com, just add testuser to the machine with the following command.

adduser testuser

Do NOT set a password for the user, the password in the Mideye Server database or LDAP will be used.

Now everything is configured in the Linux server. If the Mideye Server is configured as well, the SSH login will now prompt for two-factor authentication.

Add the Linux server as a RADIUS client in the Mideye Server

See section RADIUS clients in the reference guide.

Troubleshoot

Check RADIUS-logs

Check if anything is written to the Mideye RADIUS logs. These can be found in:

Mideye Server\log\radius-messages.log

If nothing is logged, verify that udp/1812 is allowed between your Linux Server and Mideye Server.

Contact Mideye support

For further support please contact Mideye support, support@mideye.com, +46854514750.