Protect SSH to Ubuntu

How to add SSH using PAM RADIUS module with LoginTC:

  1. SSH into your Ubuntu host
  2. Run command: sudo apt-get install libpam-radius-auth
  3. Open pam_radius_auth.conf file: sudo vim /etc/pam_radius_auth.conf
  4. Replace the contents of the file with a single line with the following:

10.0.10.118 YOUR_RADIUS_SECRET 60

(and replace the IP address with the IP address of your LoginTC RADIUS Connector web appliance and YOUR_RADIUS_SECRET with your actual RADIUS secret)


5. Open sshd config file: sudo vim /etc/pam.d/sshd

Option 1: Use only LoginTC RADIUS Connector for authentication

Add the following line above @include common-auth:

auth required pam_radius_auth.so

Comment out @include common-auth:

#@include common-auth

The first few lines of the file should look like this:

# PAM configuration for the Secure Shell service

auth required pam_radius_auth.so

# Standard Un*x authentication.

#@include common-auth

Option 2: Use local password authentication AND LoginTC RADIUS Connector for authentication

Add the following line below @include common-auth:

auth required pam_radius_auth.so use_first_pass

The first few lines of the file should look like this:

# PAM configuration for the Secure Shell service

# Standard Un*x authentication.

@include common-auth

auth required pam_radius_auth.so use_first_pass

Test by accessing SSH. The username of the UNIX user must match the username of the user created in your organization and added to the domain you have configured to authenticate against.

SSH and Challenge Authentication Mode

To leverage the Challenge Authentication Mode when performing SSH, ensure the /etc/ssh/sshd_config file has the following:

ChallengeResponseAuthentication yes

or

KbdInteractiveAuthentication yes

Testing

We recommend extensive testing prior to applying these configurations in a production environment. Console login should be accessible during testing as a fallback.

Uninstallation

Revert changes made to /etc/pam.d/sshd.

Was this article helpful?

1 out of 1 liked this article

Still need help? Message Us