Protect SSH to Ubuntu
How to add SSH using PAM RADIUS module with LoginTC:
- SSH into your Ubuntu host
- Run command: sudo apt-get install libpam-radius-auth
- Open pam_radius_auth.conf file: sudo vim /etc/pam_radius_auth.conf
- Replace the contents of the file with a single line with the following:
10.0.10.118 YOUR_RADIUS_SECRET 60
(and replace the IP address with the IP address of your LoginTC RADIUS Connector web appliance and YOUR_RADIUS_SECRET with your actual RADIUS secret)
5. Open sshd config file: sudo vim /etc/pam.d/sshd
Option 1: Use only LoginTC RADIUS Connector for authentication
Add the following line above @include common-auth:
auth required pam_radius_auth.so
Comment out @include common-auth:
#@include common-auth
The first few lines of the file should look like this:
# PAM configuration for the Secure Shell service
auth required pam_radius_auth.so
# Standard Un*x authentication.
#@include common-auth
Option 2: Use local password authentication AND LoginTC RADIUS Connector for authentication
Add the following line below @include common-auth:
auth required pam_radius_auth.so use_first_pass
The first few lines of the file should look like this:
# PAM configuration for the Secure Shell service
# Standard Un*x authentication.
@include common-auth
auth required pam_radius_auth.so use_first_pass
Test by accessing SSH. The username of the UNIX user must match the username of the user created in your organization and added to the domain you have configured to authenticate against.
SSH and Challenge Authentication Mode
To leverage the Challenge Authentication Mode when performing SSH, ensure the /etc/ssh/sshd_config file has the following:
ChallengeResponseAuthentication yes
or
KbdInteractiveAuthentication yes
Testing
We recommend extensive testing prior to applying these configurations in a production environment. Console login should be accessible during testing as a fallback.
Uninstallation
Revert changes made to /etc/pam.d/sshd.