In the first refresh of the Oracle Solaris 11.4 beta we got support for RADIUS in the PAM framework. So you can now use RADIUS for authentication purposes without the need to compile the necessary components on your own. This is really useful, as RADIUS is used quite often to implement for example one-time password mechanism with a central infrastructure to implement them.

This feature is implemented by a PAM module named pam_radius_auth.so.1 . It supports TLS based RADIUS, however for test and development you can use it without TLS. I will use this simplified method in this blog entry. There are PAM policy file for UNIX+RADIUS and LDAP+RADIUS in /etc/security/pam_policy for systemwide or per-user activation (if you use them, It may be a good ida to remove the echo_pass after the pam_radius_auth.so1 in order to deactivate the clear-text repetition of the password on your shell.

While there is a man page describing the setup of pam_auth_radius, there is a small problem. The way it’s described is incorrect. The config however is generated via a SMF stencil, so the stencil file at /lib/svc/stencils/pam_radius_conf.stencil is a good interims source how to configure it.

In this blog entry I would like describe a really basic setup of this feature. Of course you need a working RADIUS server. In my case I will just use the one that is in my home anyway for WLAN authentication.

At first you have to install the package:
root@client:~# pkg install pkg:/system/security/radius/client
Now we have to configure the SMF service.
root@client:~# svccfg -s radius/client:default
svc:/network/radius/client:default> setprop config/server_list = “10.0.0.2"
svc:/network/radius/client:default> setprop config/secret/shared_secret = “justameaninglesssharedsecret"
svc:/network/radius/client:default> setprop config/protocol = "tcp“
root@client:~# svcadm refresh radius/client:default
In my example I will activate RADIUS authentication just for my own user.
root@client:~# usermod -K pam_policy=unix+radius joerg
Now we can try it out.
root@client:~# ssh joerg@localhost
Password: YOUR_UNIX_PASSWORD
RADIUS password or PIN: PASSWORD_OR_PIN_IN_RADIUSSERVER
Last login: Fri Apr 27 22:49:58 2018 from 10.1.10.22
Oracle Corporation      SunOS 5.11      Solaris_11/11.4/ON/production.build-59:2018-03-22       March 2018
joerg@ldap:~$
Now the system is asking for the RADIUS password beside the one you have stored in the files (respectively in LDAP if you want to do so)

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA