This branch features RADIUS over TCP and RADIUS over TLS (RADSEC).
To use RADIUS over TCP just prefix the desired servers with "tcp://".
To use RADIUS over TSL (RADSEC) prefix the desired servers with "tls://", and provide required client certificate, and the authenticating CAs, by adding the following parameters to the pam config line (both auth and session):
cert = absolute pathname of the client certificate file (PEM format)
key = absolute pathname of the client private key file
key_password = optional private key password (if encrypted)
ca = absolute pathname to the know and authentication CAs file
By default servers certificates are verified, you may ignore failures by adding the "verify=no" option.
You may force RADSEC usage on all servers, without the "tls://" prefix, by setting "radsec=yes".
You may disable RADSEC usage, falling back all "tls://" to RADIUS over UDP, by setting "radsec=no".
By default, with "radsec=try" , if SSL setup works, RADSEC is used for "tls://", otherwise they fallback to RADIUS over UDP.
At first all TCP and TLS servers are tried together. The first one ready, connected and verified, is used. If something goes wrong, the others get used, as they are ready. When no more TCP or TLS server are usable, UDP are tried one by one in the config order.
By aware on some system you may need to disable SELinux or apply a proper SELinux policy.
This is the PAM to RADIUS authentication module. It allows any Linux, OSX or Solaris machine to become a RADIUS client for authentication. You will need to supply your own RADIUS server to perform the actual authentication.
The latest version has a simple merger of the original pam_radius
session accounting code which will work only on Linux.
See INSTALL for instructions on building and installing this module. It has been successfully used for RADIUS authentication on CentOS, RHEL and Rocky Linux versions 7 to 9, Debian, Ubuntu, many older Linux distributions such as RedHat 5.x and RedHat 6.x, as well as Solaris 2.6 and OSX 10.9.1.
A number of options are supported by this module. See USAGE for more details.
Care should be taken when configuring RADIUS authentication. Your RADIUS server should have a minimal set of machines in its 'clients' file. The server should NOT be visible to the world at large, but should be contained behind a firewall. If your RADIUS server is visible from the Internet, a number of attacks become possible.
Any additional questions can be directed to the FreeRADIUS user's mailing list: https://www.freeradius.org/support/
For the latest version and updates, see the main web or ftp site:
- https://freeradius.org/pam_radius_auth/
- ftp://ftp.freeradius.org/pub/radius/
The pam_radius_auth module based on an old version of Cristian
Gafton's pam_radius.c, and on the RADIUS Apache module.
The source contains a full suite of RADIUS functions, instead of using libpwdb. It makes sense, because we want it to compile out of the box on Linux and Solaris 2.6.
There are minimal restrictions on using the code, as set out in the
disclaimer and copyright notice in pam_radius_auth.c.
Building it is straightforward: use GNU make, and type ./configure,
followed by make. If you've got some other weird make, you'll
have to edit the Makefile to remove the GNU make directives.
Alan DeKok [email protected]
When building under clang and some later versions of GCC with --enable-developer, you can add the following flags:
-
--enable-address-sanitizer, enables address sanitizer (detects use after free issues, and out of bounds accesses). -
--enable-leak-sanitizer, enables leak sanitizer (detects memory leaks).
$ ./configure
$ make rpm
$ rpm -ivh rpmbuild/RPMS/x86_64/pam*.rpm
Configuration example for sshd+PAM in redhat/pam_sshd_example
$ ./configure
$ make deb
$ dpkg -i ../libpam-radius-auth_*.deb
Configuration example for sshd+PAM in debian/pam_sshd_example