Protect SSH to Ubuntu
How to add SSH using PAM RADIUS module with LoginTC:
- SSH into your Ubuntu host
- Run command: sudo apt-get install libpam-radius-auth
- Open pam_radius_auth.conf file: sudo vim /etc/pam_radius_auth.conf
- Replace the contents of the file with a single line with the following:
(and replace the IP address with the IP address of your LoginTC RADIUS Connector web appliance and YOUR_RADIUS_SECRET with your actual RADIUS secret)
NOTE: Backup and Testing
We recommend extensive testing prior to applying these configurations in a production environment. Console login should be accessible during testing as a fallback.
Option 1: Use only LoginTC RADIUS Connector for authentication
Open the login config file: sudo vim /etc/pam.d/sshd
Add the following line above @include common-auth:
Comment out @include common-auth:
The first few lines of the file should look like this:
Option 2: Use local password authentication AND LoginTC RADIUS Connector for authentication
Open the login config file: sudo vim /etc/pam.d/sshd
Add the following line below @include common-auth:
The first few lines of the file should look like this:
Test by accessing SSH. The username of the UNIX user must match the username of the user created in your LoginTC organization.
NOTE: User Accounts Must Exist Locally
All usernames that are being authenticated must exist locally on the Ubuntu host as a local account, even if the username and password is being authenticated on the LoginTC RADIUS Connector. For example, if you want an AD user (jdoe) to authenticate to the Ubuntu host, you must ensure that jdoe already exists on the Ubuntu host. To create a user with an empty password on the Ubuntu host:
SSH and Challenge Authentication Mode
To leverage the Challenge Authentication Mode when performing SSH, ensure the /etc/ssh/sshd_config file has the following:
or
Uninstallation
Revert changes made to /etc/pam.d/sshd.