|
YubikeyAndRadiusViaPAM
How to get Yubikey OTP authentication via Radius to work
IntroductionThe purpose of this page is to collect all information needed to set up a Radius server that can use the pam_yubico module to provide user authentication via Radius. DetailsWe currently use FreeRadius. The paths below may be specific to Debian's packages, please update this if you have paths for other systems. Build pam_yubico and install FreeRadiusBuild instructions for pam_yubico are found in the pam_yubico ReadMe. Install FreeRadius from your OS vendor packages: Debian/Ubuntu: sudo apt-get install freeradius Add a Radius client stanza to /etc/freeradius/clients.confFor testing, I recommend something like: client 0.0.0.0/0 {
secret = pencil
shortname = radius.yubico.com
}Configure FreeRadius so that it uses PAMIn /etc/freeradius/radiusd.conf, check that 'pam' is uncommented in the 'authenticate' section. Configure PAM for the Radius serverThe PAM service is 'radiusd', and the configuration file is stored in /etc/pam.d/radiusd. Add something like: auth sufficient pam_yubico.so id=16 debug Start FreeRadius in debug mode and test itAs root, run: # /usr/sbin/freeradiusd -X Then invoke a test client as follows: $ radtest yubico vlrlcingbbkrctguicnijbegfjhrdhccefdthcuifkgr 127.0.0.1 0 pencil If you get errors about non-existing user, you may need to create a Unix user 'yubico'. Whether this should be needed or not depends on PAM configuration. |
Sign in to add a comment
