Background
Both macOS and Linux are able to connect with an Authlogics Authentication Server using the industry standard RADIUS protocol by installing a Pluggable Authentication Module (PAM) to RADIUS authentication add-on. There are various PAM add-ons available from different vendors however this article details integration with FreeRADIUS PAM.
Further background information on Pluggable Authentication Modules can be found here: https://www.linux.com/news/understanding-pam/
Installation Overview
The following installation process was performed on Apple macOS High Sierra (version 10.13.6). Different OS's and versions may vary slightly in their configuration.
- Download, build and install the FreeRADIUS PAM module
- Configure the RADIUS PAM module to connect to the Authlogics Authentication Server via RADIUS
- Integrate the RADIUS PAM module into required login areas within the client OS, e.g. SSH or UI login
Step 1 - Downloading and Installing RADIUS PAM
- Download and extract the PAM Authentication and Accounting module (version 1.4.0 at time of writing). This will be in the form of a TAR GZip file, e.g. pam_radius-release_1_4_0.tar.gz
- To build the .so library, open a Terminal window and run the following commands:
./configure
make - Copy the compiled library to the PAM folder based on the OS:
macOS: cp pam_radius_auth.so /usr/lib/pam
Linux 32-bit: cp pam_radius_auth.so /lib/security/
Linux 64-bit: cp pam_radius_auth.so /lib64/security/
Apple Warning: The copy may fail depending on the OS type and version. On macOS X El Capitan and later, Configuring System Integrity Protection (CSIP) prevents writing to protected parts of the OS, including the /user folder, even when logged on as Root. See the Apple documentation for details on how to disable CSIP on macOS, and the try the copy again.
Step 2 - Configuring the RADIUS PAM client and server
- Create a server configuration file called server in /etc/raddb/. A template file is available however the required content is as follows:
[radius-server]{:[port]} [shared-secret] [timeout]
The :port entry is optional if a standard RADIUS port is being used. The timeout value is in seconds. e.g.:radius.server.com Pa55w0rd 10
- Follow the Authlogics Authentication Server Installation and Configuration Guide for instructions on how to configure the server side of the RADIUS setup.
Step 3 - Integrate the RADIUS PAM client with OS logins
PAM modules may be integrated into various login types, e.g. OS login, sshd, su, sudo etc. The list of login types available for the target OS is located at /etc/pam.d/. Each file in the /etc/pam.d/ folder must be configured for PAM as required. Care must be taken when doing different settings may be required for different components, and some may not need to be configured at all. Modify the appropriate file to integrate the RADIUS PAM module with a specific login type.
Common files to edit are:
File name | Detail |
/etc/pam.d/sshd | Secure Shell (SSH) logins. Ensure Remote Logins are enabled in macOS System Preferences. |
/etc/pam.d/sudo | SUDO command line / terminal access. |
/etc/pam.d/authorization | OS Logon screen |
/etc/pam.d/screensaver | OS unlock screen |
Editing the files in the /etc/pam.d/ folder involves added a new line to specify in what conditions RADIUS PAM should be used in the following format.
auth [control] /usr/lib/pam/pam_radius_auth.so [options]
Care should be taken to add the correct control value for the platform and login type. Details of each control and their behaviour is as follows:
- required
- All required modules in a file must pass for a successful result. If one or more of the required modules fail, all of the required modules in the file will be attempted, but the error from the first failed required module is returned.
- requisite
- Similar to required except that if a requisite module fails, no further modules in the file are processed and it immediately returns the first failure code from a required or requisite module.
- sufficient
- If a module flagged as sufficient succeeds and no previous required or sufficient modules have failed, all remaining modules in the file are ignored and success is returned.
- optional
- If none of the modules in the file are required and no sufficient modules have succeeded, then at least one optional module for the service must succeed. If another module in the file is successful, a failure in an optional module is ignored.
Secure Shell (SSH) and OTP
On Linux, edit the SSH configuration file (sshd_config) to ask for an OTP code as a second-factor authentication.
File name | Detail |
/etc/ssh/sshd_config |
Find and comment out the line ChallengeResponseAuthentication no and add a new configuration line ChallengeResponseAuthentication yes. This line lets SSH ask for a Challenge Response. |
/etc/ssh/sshd_config |
Let SSH know to ask for both an SSH key and a verification code to authenticate us. SSH checks for an SSH key pair (publickey) and then the OTP code (keyboard-interactive). At the bottom of the file, add: |
After saving the config file restart the SSH service to apply the changes.
systemctl restart sshd
SUDO Sample
To add RADIUS PAM as a required authentication type to SUDO add the following line to the sudo file on macOS:
auth required /usr/lib/pam/pam_radius_auth.so force_prompt prompt=Authlogics
macOS Desktop Logon Sample
Note: Some options may not work with all logon types, for example, the prompt option does not work with macOS OS logon but it does for SUDO.
To add RADIUS PAM as a sufficient authentication type to macOS Desktop Logon add the following line to the authorization file on macOS:
auth sufficient /usr/lib/pam/pam_radius_auth.so
0 Comments