mirror of
https://github.com/Yubico/yubico-pam.git
synced 2024-12-01 15:24:12 +01:00
63 lines
1.6 KiB
Plaintext
63 lines
1.6 KiB
Plaintext
Introduction
|
|
------------
|
|
|
|
The purpose of this page is to collect all information needed to set up a Radius server that can use the pam_yubico module to provide user authentication via Radius.
|
|
|
|
Details
|
|
-------
|
|
|
|
We currently use FreeRadius. The paths below may be specific to Debian's packages, please update this if you have paths for other systems.
|
|
|
|
Build pam_yubico and install FreeRadius
|
|
---------------------------------------
|
|
|
|
Build instructions for pam_yubico are found in the pam_yubico ReadMe.
|
|
|
|
Install FreeRadius from your OS vendor packages:
|
|
|
|
Debian/Ubuntu:
|
|
------
|
|
$ sudo apt-get install freeradius
|
|
------
|
|
|
|
== Add a Radius client stanza to /etc/freeradius/clients.conf
|
|
|
|
For testing, add something like:
|
|
|
|
------
|
|
client 0.0.0.0/0 {
|
|
secret = pencil
|
|
shortname = radius.yubico.com
|
|
}
|
|
------
|
|
|
|
Configure FreeRadius so that it uses PAM
|
|
----------------------------------------
|
|
|
|
In /etc/freeradius/radiusd.conf, check that 'pam' is uncommented in the 'authenticate' section.
|
|
|
|
Configure PAM for the Radius server
|
|
-----------------------------------
|
|
|
|
The PAM service is 'radiusd', and the configuration file is stored in /etc/pam.d/radiusd. Add something like:
|
|
|
|
------
|
|
auth sufficient pam_yubico.so id=16 debug
|
|
------
|
|
|
|
Start FreeRadius in debug mode and test it
|
|
------------------------------------------
|
|
|
|
As root, run:
|
|
|
|
------
|
|
# /usr/sbin/freeradiusd -X
|
|
------
|
|
|
|
Then invoke a test client as follows:
|
|
|
|
------
|
|
$ radtest yubico vlrlcingbbkrctguicnijbegfjhrdhccefdthcuifkgr 127.0.0.1 0 pencil
|
|
------
|
|
|
|
If you get errors about non-existing user, you may need to create a Unix user 'yubico'. Whether this should be needed or not depends on PAM configuration. |