This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
aix:user_radius [2022/02/21 09:27] manu created |
aix:user_radius [2022/12/06 14:30] (current) manu |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== PAM with Radius ====== | ====== PAM with Radius ====== | ||
+ | |||
+ | Radius is available in standard AIX packages, but only for AIX standard authentification. | ||
There is no support for RADIUS on AIX PAM. So you have to compile the module | There is no support for RADIUS on AIX PAM. So you have to compile the module | ||
+ | |||
+ | Mobile Pass token in the challenge response mode is configured for authentication | ||
+ | |||
+ | https://supportportal.gemalto.com/csm/sys_attachment.do?sys_id=d538e7741b5cc450f2888739cd4bcb75 | ||
+ | |||
+ | |||
+ | ===== Compilation ===== | ||
+ | |||
+ | In a web browser, open the following link to download Pamradius 1.4.0 rpm: | ||
+ | http://ftp.cc.uoc.gr/mirrors/ftp.freeradius.org/ | ||
+ | |||
+ | ==== Pam-auth Prerequisites ==== | ||
+ | |||
+ | To enable radius authentication we need to install and configure pam_radius on AIX. Following are the dependencies for pam_radius: | ||
+ | gcc | ||
+ | gcc-c++ | ||
+ | gcc-cpp | ||
+ | gettext | ||
+ | gmp | ||
+ | gmp-devel | ||
+ | info | ||
+ | libcommon | ||
+ | libcommon-devel | ||
+ | libgcc | ||
+ | libmpc | ||
+ | libisgsegv | ||
+ | libsigsegv-devel | ||
+ | libstdc++ | ||
+ | libstdc++-devel | ||
+ | lzlib | ||
+ | lzlib-devel | ||
+ | m4 | ||
+ | mpfr | ||
+ | mpfr-devel | ||
+ | zlib | ||
+ | zlib-devel | ||
+ | |||
+ | Perform the following steps to modify the pam_radius-1.4.0/src/pam_radius_auth.h file. | ||
+ | |||
+ | i. Run the following commands: | ||
+ | <cli> | ||
+ | cd pam_radius-1.4.0 | ||
+ | vi src/pam_radius_auth.h | ||
+ | </cli> | ||
+ | |||
+ | ii. On line 80, add "# define __sun", just before | ||
+ | |||
+ | <code> | ||
+ | #ifndef CONST There are two underscores before sun and there is a space between define and underscores. | ||
+ | </code> | ||
+ | |||
+ | After modification, the code will be changed to: | ||
+ | <code> | ||
+ | /************************************************************************* | ||
+ | * Platform specific defines | ||
+ | *************************************************************************/ | ||
+ | #define __sun #ifndef CONST # if defined(__sun) || defined(__linux__) || defined(__FreeBSD__) || defined(__APPLE__) /* | ||
+ | </code> | ||
+ | |||
+ | iii. Save the file. | ||
+ | |||
+ | d. Run the following commands to configure and compile. | ||
+ | |||
+ | i. bash-4.3# ./configure | ||
+ | |||
+ | ii. bash-4.3# make | ||
+ | |||
+ | e. Run the following command: | ||
+ | <cli> | ||
+ | gcc -fPIC -c src/pam_radius_auth.c -o pam_radius_auth.o | ||
+ | </cli> | ||
+ | f. Run the following command: | ||
+ | <cli> | ||
+ | gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so | ||
+ | </cli> | ||
+ | |||
+ | ===== Configuration ===== | ||
+ | |||
+ | 3. After the compilation is complete, | ||
+ | <code> | ||
+ | copy the pam_radius_auth.so file to /usr/lib/security/ cp | ||
+ | pam_radius_auth.so /usr/lib/security/ | ||
+ | </code> | ||
+ | |||
+ | 4. Run the following commands to configuring the RADIUS server in pam_radius: | ||
+ | <cli> | ||
+ | mkdir /etc/raddb | ||
+ | cp pam_radius_auth.conf /etc/raddb/server | ||
+ | chown root /etc/raddb | ||
+ | chmod go-rwx /etc/raddb | ||
+ | chmod go-rwx /etc/raddb/server | ||
+ | </cli> | ||
+ | 5. Add the RADIUS server hostname or IP Address in /etc/raddb/server in following format: | ||
+ | <cli> | ||
+ | radius_server <secret code> <timemout> | ||
+ | </cli> | ||
+ | | ||
+ | 6. Enable SSH for pam_radius authentication using PAM. Add the following lines at the end of /etc/pam.conf to enable ssh to use pam_radius: | ||
+ | <cli> | ||
+ | #SSHD | ||
+ | sshd auth required /usr/lib/security/pam_radius_auth.so | ||
+ | sshd account required /usr/lib/security/pam_aix | ||
+ | sshd password required /usr/lib/security/pam_aix | ||
+ | sshd session required /usr/lib/security/pam_aix | ||
+ | </cli> | ||
+ | |||
+ | 7. Modify the /etc/security/login.cfg file. Change “auth_type = STD_AUTH” to “auth_type = PAM_AUTH”. | ||
+ | |||
+ | 8. Update the following parameter in /etc/ssh/sshd_config: | ||
+ | <cli> | ||
+ | PasswordAuthentication no | ||
+ | PermitEmptyPasswords no | ||
+ | UsePrivilegeSeparation no | ||
+ | ChallengeResponseAuthentication yes | ||
+ | UsePAM yes | ||
+ | </cli> | ||
+ | |||
+ | 9. Run the following command to restart the sshd service: | ||
+ | <cli> | ||
+ | stopsrc -s sshd ; startsrc -s sshd | ||
+ | </cli> | ||