How to use FreeRADIUS for SSH authentication

Jack Wallen shows you how to install and configure FreeRADIUS as a centralized SSH authentication tool.

Securing a laptop

Image: iStock/structuresxx

More about Open Source

You might have a large number of Linux machines in your data center, most of which are managed by a team of admins. Those admins probably use secure shell to access those servers. Because of that, you might want to use a centralized location to manage the authentication of those admins. For that, you can employ a FreeRADIUS server. 

FreeRADIUS is a tool for authentication that is used by over 100 million people daily. This tool includes support for more authentication protocols than any other open source service.

I’m going to show you how to use FreeRADIUS for the authentication of SSH over your LAN.

SEE: Incident response policy (TechRepublic Premium)

What you’ll need

I’ll be demonstrating with two instances of Ubuntu: one server and one desktop. You can install FreeRADIUS on just about any Linux distribution, but you’ll need to modify the installation steps if you’re using a non-Debian-based operating system. You’ll also need a user with sudo privileges.

How to install and configure FreeRADIUS on the server

The first thing we’ll do is install FreeRADIUS. Log in to your Ubuntu Server and install the software with the command:

sudo apt-get install freeradius mlocate -y

With FreeRADIUS installed, we need to add a client (the machine that will use the FreeRADIUS server for SSH authentication) to the configuration file. First, change to the root user with the command:

sudo -s

Open the necessary configuration file with the command:

nano /etc/freeradius/3.0/clients.conf

At the bottom of the file, you’ll add a section that looks like this:

client UBUNTU {
ipaddr = CLIENT
secret = CLIENTPASSWORD
}

Where CLIENT is the IP address of the remote client and CLIENTPASSWORD is a strong/unique password to be used as the FreeRADIUS admin.

Save and close the file. 

Next, we’ll add a user by editing the users file with the command:

nano /etc/freeradius/3.0/users

At the bottom of that file, add the following:

USER Cleartext-Password := "USERPASSWORD"

Where USER is the username and USERPASSWORD is a strong/unique password.

Restart FreeRADIUS with the command:

systemctl restart freeradius

Exit out of the root user with the command:

exit

How to configure the client

Move on over to your client machine. You’ll first need to install the necessary packages so that the client can interact with FreeRADIUS with the command:

sudo apt-get install libpam-radius-auth freeradius-utils -y

Open the configuration file with the command:

sudo nano /etc/pam_radius_auth.conf

Near the bottom of that file, you’ll see the following section:

#127.0.0.1 secret 1
other-server other-secret 3

Below that, add a new section like so:

SERVER	CLIENTPASSWORD	5

Where SERVER is the IP address of your FreeRADIUS server and CLIENTPASSWORD is the password you set in the clients configuration file on the server.

Save and close the file. 

Next, we’ll create a user account on the client with a disabled password like so:

sudo adduser USERNAME --disabled-password --quiet --gecos ""

Where USERNAME is the username to be added.

Now let’s test the authentication against our server. From the client issue the command:

radtest USERNAME CLIENTPASSWORD SERVER 0 USERPASSWORD

Where USERNAME is the username on the remote client, CLIENTPASSWORD is the password set in the clients.conf file on the server, SERVER is the IP address of the FreeRADIUS server and USERPASSWORD is the password for the remote user configured in the users configuration file on the server.

You should see something like:

Sent Access-Request Id 134 from 0.0.0.0:45348 to 192.168.1.53:1812 length 75
User-Name = "USERNAME"
User-Password = "USERPASSWORD"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "USERPASSWORD"
Received Access-Accept Id 134 from 192.168.1.53:1812 to 192.168.1.124:45348 length 20

For the real test, log in to another machine on your network and SSH to the client with the USERNAME and USERPASSWORD for credentials. Even though that user was created on the client without a password, you should be able to successfully authenticate to the client.

Congratulations, you’ve just set up FreeRADIUS for SSH authentication.

The caveat

The problem with this setup is that you’ve left cleartext passwords configured in the FreeRADIUS files. The only saving grace with this is that to view them, you must first gain access to the root user. That’s a hurdle, but it’s not impossible. We’ll discuss using a more secure method at a later time. Until then, practice getting FreeRADIUS set up on a test network to ensure you understand how it works.

Subscribe to TechRepublic’s How To Make Tech Work on YouTube for all the latest tech advice for business pros from Jack Wallen.

Also see