Protect Console Login to Ubuntu
Technical Support
Last Update 4 months ago
This article is for protecting the Ubuntu (physical) console access. If you want to protect SSH access, see the article Protect SSH to Ubuntu.
- Open the console for your Ubuntu host
- Run command: sudo apt-get install libpam-radius-auth
- Open pam_radius_auth.conf file: sudo vim /etc/pam_radius_auth.conf
- Replace the contents of the file with a single line with the following:
(and replace the IP address with the IP address of your LoginTC RADIUS Connector web appliance and YOUR_RADIUS_SECRET with your actual RADIUS secret)
NOTE: Backup and Testing
It is strongly recommended to take a backup or snapshot of your host prior to performing the following steps. You may be locked out of your host during a misconfiguration.
Option 1: Use only LoginTC RADIUS Connector for authentication
Open the login config file: sudo vim /etc/pam.d/login
Add the following line above @include common-auth:
Test by accessing the console. The username of the UNIX user must match the username of the user created in your organization and added to the domain you have configured to authenticate against.
Option 2: Use local password authentication AND LoginTC RADIUS Connector for authentication
Add the following line below @include common-auth:
Test by accessing the console. The username must match the username of the user created in your LoginTC organization.
NOTE: User Accounts Must Exist Locally
All usernames that are being authenticated must exist locally on the Ubuntu host as a local account, even if the username and password is being authenticated on the LoginTC RADIUS Connector. For example, if you want an AD user (jdoe) to authenticate to the Ubuntu host, you must ensure that jdoe already exists on the Ubuntu host. To create a user with an empty password on the Ubuntu host:
NOTE: Uninstallation