Implementation Guide PAM RADIUS

DualShield
for
PAM RADIUS
Implementation Guide
(Version 5.4)

Copyright 2012
Deepnet Security Limited

Copyright 2012, Deepnet Security. All Rights Reserved. Page 1

Implementation Guide PAM RADIUS

Trademarks

Deepnet Unified Authentication, MobileID, QuickID, PocketID, SafeID, GridID, FlashID,

SmartID, TypeSense, VoiceSense, MobilePass, DevicePass, RemotePass and Site Stamp
are trademarks of Deepnet Security Limited. All other brand names and product names
are trademarks or registered trademarks of their respective owners.

Copyrights

Under the international copyright law, neither the Deepnet Security software or
documentation may be copied, reproduced, translated or reduced to any electronic
medium or machine readable form, in whole or in part, without the prior written consent
of Deepnet Security.

Licence Conditions

Please read your licence agreement with Deepnet carefully and make sure you
understand the exact terms of usage. In particular, for which projects, on which
platforms and at which sites, you are allowed to use the product. You are not allowed to
make any modifications to the product. If you feel the need for any modifications, please
contact Deepnet Security.

Disclaimer

This document is provided as is without warranty of any kind, either expressed or

implied, including, but not limited to, the implied warranties of merchantability, fitness
for a particular purpose, or non-infringement.

This document could include technical inaccuracies or typographical errors. Changes are
periodically made to the information herein; these changes will be incorporated in new
editions of the document. Deepnet Security may make improvements of and/or changes
to the product described in this document at any time.

Contact

If you wish to obtain further information on this product or any other Deepnet Security
products, you are always welcome to contact us.

Deepnet Security Limited

Northway House
1379 High Road
London N20 9LP
United Kingdom

Tel: +44(0)20 8343 9663

Fax: +44(0)20 8446 3182
Web: www.deepnetsecurity.com
Email: support@deepnetsecurity.com

Copyright 2012, Deepnet Security. All Rights Reserved. Page 2

Implementation Guide PAM RADIUS

Table of Contents

Overview ......................................................................................... 4
RedHat Fedora - CentOS ................................................................. 5
Installation ........................................................................................................ 5
Configuration ..................................................................................................... 5

Ubuntu ............................................................................................ 6
Installation ........................................................................................................ 6
Configuration ..................................................................................................... 6

Compile & Install PAM RADIUS module manually .................................. 7

Troubleshooting ............................................................................... 8

Copyright 2012, Deepnet Security. All Rights Reserved. Page 3

Implementation Guide PAM RADIUS

Overview
DualShield can be easily added to any Linux and Unix system to protect remote or local
logins with two-factor authentication via the PAM RADIUS module. Due to the limitations
in RADIUS authentication protocol, only one-time password (OTP) based authentication
methods are supported.

DualShield provides a wide selection of portable OTP tokens in a variety of form factors,
ranging from hardware tokens, software tokens, mobile tokens to USB tokens. These
include:

Deepnet SafeID
Deepnet MobileID
Deepnet GridID
Deepnet CryptoKey
RSA SecurID
VASCO DigiPass Go
OATH-compliant OTP tokens

In addition to the support of one-time password, DualShield also supports on-demand

password for VPN authentication. The product that provides on-demand password in the
DualShield platform is Deepnet T-Pass. Deepnet T-Pass is an on-demand, token-less
strong authentication that delivers logon passwords via SMS texts, phone calls, twitter
direct messages or email messages.
The complete solution consists of the following components:

DualShield Authentication Server

DualShield Radius Server
PAM RADIUS module

For the general instructions of installation and configuration of the DualShield

Authentication Server, please refer to the following documents:

DualShield Unified Authentication Platform Installation Guide

DualShield Unified Authentication Platform Quick Start Guide
DualShield Unified Authentication Platform Administration Guide

For the general instructions of installation and configuration of the DualShield RADIUS
Server, please refer to the following documents:

VPN & RADIUS - Implementation Guide

Copyright 2012, Deepnet Security. All Rights Reserved. Page 4

Implementation Guide PAM RADIUS

RedHat Fedora - CentOS

Installation
To install the PAM RADIUS module on RedHat, Fedora or CentOS, run the command
below:

$ sudo yum install pam_radius

Configuration
Once the PAM RADIUS module has been successfully installed, you will need to edit the
file: /etc/pam_radius.conf

$ sudo vi /etc/pam_radius.conf

Modify the line below:

other-server other-secret 3

Change other-server to the IP address of your DualShield RADIUS server, other-

secret to the shared secret.

Now, the configuration of the PAM RADIUS module is done. To enable the module for an
application, you need to edit the configuration file in the /etc/pam.d directory. For
examples, to protect the GDM (GNOME Display Manager) GUI login, you need to edit the
file /etc/pam.d/gdm-password. To protect the SSH login, you need to edit the file
/etc/pam.d/sshd.

1. open the configuration file /etc/pam.d/gdm-password or /etc/pam.d/sshd, in a

text editor

2. locate the line below:

auth substack password-auth

3. insert the line below:

auth sufficient pam_radius_auth.so

i.e.

auth sufficient pam_radius_auth.so

auth substack password-auth

Copyright 2012, Deepnet Security. All Rights Reserved. Page 5

Implementation Guide PAM RADIUS

Ubuntu

Installation
To install the PAM RADIUS module on Ubuntu, run the command below:

$ sudo apt-get install libpam-radius-auth

Configuration
Once the PAM RADIUS module has been successfully installed, you will need to edit the
file: /etc/pam_radius_auth.conf

$ sudo vim /etc/pam_radius_auth.conf

Change other-server to the IP address of your DualShield RADIUS server, other-

secret to the shared secret.

Now, the configuration of the PAM RADIUS module is done. To enable the module for an
application, you need to edit the configuration file in the /etc/pam.d directory. For
examples, to protect the GDM (GNOME Display Manager) GUI login, you need to edit the
file /etc/pam.d/gdm-password. To protect the SSH login, you need to edit the file
/etc/pam.d/sshd.

1. open the configuration file /etc/pam.d/gdm-password or /etc/pam.d/sshd, in a

text editor

2. locate the line below:

# Standard Un*x authentication.

@include common-auth

3. insert the line below:

auth sufficient pam_radius_auth.so

i.e.

auth sufficient pam_radius_auth.so

# Standard Un*x authentication.
@include common-auth

Copyright 2012, Deepnet Security. All Rights Reserved. Page 6

Implementation Guide PAM RADIUS

Compile & Install PAM RADIUS module manually

If you have to manually compile the PAM RADIUS module for your Linux or Unix system,
follow the instructions below:

1. Download

Download latest PAM RADIUS source code from

http://freeradius.org/pam_radius_auth/

2. Build

Extract and build it

$ tar -zxvf pam_radius-1.3.17.tar.gz

$ cd pam_radius-1.3.17

$ make

3. Install

Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so or /lib64/

security/pam_radius_auth.so if you are using 64-bit linux

$ sudo cp pam_radius_auth.so /lib/security/

4. Configuration

The configuration of the PAM RADIUS module is similar on all Linux distributions.
Please refer to previous examples.

Copyright 2012, Deepnet Security. All Rights Reserved. Page 7

Implementation Guide PAM RADIUS

Troubleshooting

1. If SELinux is enforced, with some old selinux versions, when you enable
pam_radius_auth for SSH login, selinux may block the sshd from binding udp port.
To work around it:

https://bugzilla.redhat.com/show_bug.cgi?id=647043

Create a file named mysshd.te with the content below:

policy_module(mysshd, 1.0)

gen_require(`

type sshd_t;

')

corenet_udp_bind_all_unreserved_ports(sshd_t)

Then execute the following commands

$ make -f /usr/share/selinux/devel/Makefile

$ semodule -i mysshd.pp

2. Check the log file is always helpful:

$ sudo tail -f /var/log/auth.log

or

$ sudo tail -f /var/log/messages

3. You can also enable the debug log for pam_radius_auto.so, for example:

auth sufficient pam_radius_auth.so debug

4. It is possible to use different configuration file for pam_radius_auto.so, e.g.

auth sufficient pam_radius_auth.so debug conf=/etc/raddb/server

Copyright 2012, Deepnet Security. All Rights Reserved. Page 8