Table of Contents
PAM with Radius
Radius is available in standard AIX packages, but only for AIX standard authentification.
There is no support for RADIUS on AIX PAM. So you have to compile the module
Mobile Pass token in the challenge response mode is configured for authentication
https://supportportal.gemalto.com/csm/sys_attachment.do?sys_id=d538e7741b5cc450f2888739cd4bcb75
Compilation
In a web browser, open the following link to download Pamradius 1.4.0 rpm:
http://ftp.cc.uoc.gr/mirrors/ftp.freeradius.org/
Pam-auth Prerequisites
To enable radius authentication we need to install and configure pam_radius on AIX. Following are the dependencies for pam_radius:
gcc gcc-c++ gcc-cpp gettext gmp gmp-devel info libcommon libcommon-devel libgcc libmpc libisgsegv libsigsegv-devel libstdc++ libstdc++-devel lzlib lzlib-devel m4 mpfr mpfr-devel zlib zlib-devel
Perform the following steps to modify the pam_radius-1.4.0/src/pam_radius_auth.h file.
i. Run the following commands:
cd pam_radius-1.4.0 vi src/pam_radius_auth.h
ii. On line 80, add “# define sun”, just before <code> #ifndef CONST There are two underscores before sun and there is a space between define and underscores. </code> After modification, the code will be changed to: <code> /* * Platform specific defines */ #define sun #ifndef CONST # if defined(sun) || defined(linux) || defined(FreeBSD) || defined(APPLE__) /* </code>
iii. Save the file.
d. Run the following commands to configure and compile.
i. bash-4.3# ./configure
ii. bash-4.3# make
e. Run the following command:
gcc -fPIC -c src/pam_radius_auth.c -o pam_radius_auth.of. Run the following command:
gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so
Configuration
3. After the compilation is complete,
copy the pam_radius_auth.so file to /usr/lib/security/ cp pam_radius_auth.so /usr/lib/security/
4. Run the following commands to configuring the RADIUS server in pam_radius:
mkdir /etc/raddb cp pam_radius_auth.conf /etc/raddb/server chown root /etc/raddb chmod go-rwx /etc/raddb chmod go-rwx /etc/raddb/server
5. Add the RADIUS server hostname or IP Address in /etc/raddb/server in following format:
radius_server <secret code> <timemout>
6. Enable SSH for pam_radius authentication using PAM. Add the following lines at the end of /etc/pam.conf to enable ssh to use pam_radius:
#SSHD sshd auth required /usr/lib/security/pam_radius_auth.so sshd account required /usr/lib/security/pam_aix sshd password required /usr/lib/security/pam_aix sshd session required /usr/lib/security/pam_aix
7. Modify the /etc/security/login.cfg file. Change “auth_type = STD_AUTH” to “auth_type = PAM_AUTH”.
8. Update the following parameter in /etc/ssh/sshd_config:
PasswordAuthentication no PermitEmptyPasswords no UsePrivilegeSeparation no ChallengeResponseAuthentication yes UsePAM yes
9. Run the following command to restart the sshd service:
stopsrc -s sshd ; startsrc -s sshd
