How to configure SSH authentication to a FreeRADIUS server
Find out how to configure FreeRADIUS as an SSH authentication server on Ubuntu.
If you have various admin users who log in to your Linux servers in your data center, you might want to have better control over the authentication of those accounts. Of course, one of the most secure methods is using SSH key authentication (which you should be using). But there might be an occasion that warrants using a central authentication server for SSH. Should that be the case, you can always make use of FreeRADIUS (see: How to install the daloRADIUS web-based interface for FreeRADIUS for instructions on how to install both FreeRADIUS and the web-based interface, daloRADIUS).
If that sounds like something you might want to try, read on.
What you’ll need
To make this authentication system work, you’ll need the following:
- A functioning FreeRADIUS server
- A user account with sudo privileges
- IP Address(es) for servers to be logged into via SSH
For the purpose of this tutorial, I’ll be demonstrating on Ubuntu Server 18.04. The IP addresses I’ll use are:
- 192.168.1.216 – FreeRADIUS server
- 192.168.1.16 – Client Server A
How to install the necessary authentication package
The first thing to be done is to install and configure the necessary authentication package on Client Server A. Log in to that server and issue the command:
sudo apt-get install libpam-radius-auth
How to configure the client server
Once you’ve done that, configure libpam-radius-auth with the necessary information. Issue the command:
sudo nano /etc/pam_radius_auth.conf
In that file, look for the line:
127.0.0.1 secret 1
Below that line, add the following:
192.168.1.216 PASSWORD 3
Make sure to change the IP address to match that of your FreeRADIUS server and change PASSWORD to a…