====== PAM with Radius ======

Radius is available in standard AIX packages, but only for AIX standard authentification.

There is no support for RADIUS on AIX PAM. So you have to compile the module

Mobile Pass token in the challenge response mode is configured for authentication

https://supportportal.gemalto.com/csm/sys_attachment.do?sys_id=d538e7741b5cc450f2888739cd4bcb75


===== Compilation =====

In a web browser, open the following link to download Pamradius 1.4.0 rpm:
  http://ftp.cc.uoc.gr/mirrors/ftp.freeradius.org/

==== Pam-auth Prerequisites ==== 

To enable radius authentication we need to install and configure pam_radius on AIX. Following are the dependencies for pam_radius:
  gcc
  gcc-c++
  gcc-cpp
  gettext
  gmp
  gmp-devel
  info
  libcommon
  libcommon-devel
  libgcc
  libmpc
  libisgsegv
  libsigsegv-devel
  libstdc++
  libstdc++-devel
  lzlib
  lzlib-devel
  m4
  mpfr
  mpfr-devel
  zlib
  zlib-devel

Perform the following steps to modify the pam_radius-1.4.0/src/pam_radius_auth.h file.

i. Run the following commands:
<cli>
  cd pam_radius-1.4.0
  vi src/pam_radius_auth.h
</cli>

ii. On line 80, add "# define __sun", just before 

<code>
  #ifndef CONST There are two underscores before sun and there is a space between define and underscores.
</code>

After modification, the code will be changed to:
<code>
  /*************************************************************************
  * Platform specific defines
  *************************************************************************/
  #define __sun #ifndef CONST # if defined(__sun) || defined(__linux__) || defined(__FreeBSD__) || defined(__APPLE__) /*
</code>

iii. Save the file.

d. Run the following commands to configure and compile.

i. bash-4.3# ./configure

ii. bash-4.3# make

e. Run the following command:
<cli>
  gcc -fPIC -c src/pam_radius_auth.c -o pam_radius_auth.o
</cli>
f. Run the following command:
<cli>
  gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so
</cli>

===== Configuration =====

3. After the compilation is complete, 
<code>
  copy the pam_radius_auth.so file to /usr/lib/security/ cp
  pam_radius_auth.so /usr/lib/security/
</code>

4. Run the following commands to configuring the RADIUS server in pam_radius:
<cli>
  mkdir /etc/raddb 
  cp pam_radius_auth.conf /etc/raddb/server 
  chown root /etc/raddb 
  chmod go-rwx /etc/raddb 
  chmod go-rwx /etc/raddb/server
</cli>
5. Add the RADIUS server hostname or IP Address in /etc/raddb/server in following format:
<cli>
  radius_server <secret code> <timemout>
</cli>
  
6. Enable SSH for pam_radius authentication using PAM. Add the following lines at the end of /etc/pam.conf to enable ssh to use pam_radius:
<cli>
  #SSHD 
  sshd auth required /usr/lib/security/pam_radius_auth.so 
  sshd account required /usr/lib/security/pam_aix 
  sshd password required /usr/lib/security/pam_aix 
  sshd session required /usr/lib/security/pam_aix
</cli>

7. Modify the /etc/security/login.cfg file. Change “auth_type = STD_AUTH” to “auth_type = PAM_AUTH”.

8. Update the following parameter in /etc/ssh/sshd_config:
<cli>
  PasswordAuthentication no 
  PermitEmptyPasswords no 
  UsePrivilegeSeparation no 
  ChallengeResponseAuthentication yes 
  UsePAM yes
</cli>

9. Run the following command to restart the sshd service:
<cli>
  stopsrc -s sshd ; startsrc -s sshd
</cli>