2014-04-30 11:03:40 +02:00
Introduction
------------
The purpose of this page is to collect all information needed to set up a Radius server that can use the pam_yubico module to provide user authentication via Radius.
Details
-------
2018-05-04 10:45:52 +02:00
We currently use FreeRadius. The paths below may be specific to Debian's packages, please update this if you have paths for other systems.
2014-04-30 11:03:40 +02:00
Build pam_yubico and install FreeRadius
---------------------------------------
Build instructions for pam_yubico are found in the pam_yubico ReadMe.
Install FreeRadius from your OS vendor packages:
Debian/Ubuntu:
2014-10-29 16:12:22 +01:00
$ sudo apt-get install freeradius
2014-04-30 11:03:40 +02:00
== Add a Radius client stanza to /etc/freeradius/clients.conf
For testing, add something like:
------
client 0.0.0.0/0 {
secret = pencil
shortname = radius.yubico.com
}
------
Configure FreeRadius so that it uses PAM
----------------------------------------
In /etc/freeradius/radiusd.conf, check that 'pam' is uncommented in the 'authenticate' section.
Configure PAM for the Radius server
-----------------------------------
2018-05-04 10:45:52 +02:00
The PAM service is 'radiusd', and the configuration file is stored in /etc/pam.d/radiusd. Add something like:
2014-04-30 11:03:40 +02:00
2014-10-29 16:12:22 +01:00
auth sufficient pam_yubico.so id=16 debug
2014-04-30 11:03:40 +02:00
Start FreeRadius in debug mode and test it
------------------------------------------
As root, run:
2014-10-29 16:12:22 +01:00
# /usr/sbin/freeradiusd -X
2014-04-30 11:03:40 +02:00
Then invoke a test client as follows:
2014-10-29 16:12:22 +01:00
$ radtest yubico vlrlcingbbkrctguicnijbegfjhrdhccefdthcuifkgr 127.0.0.1 0 pencil
2014-04-30 11:03:40 +02:00
2018-05-04 10:45:52 +02:00
If you get errors about non-existing user, you may need to create a Unix user 'yubico'. Whether this should be needed or not depends on PAM configuration.
