Linux - configuration

The steps described here were accomplished on OpenSUSE Leap 42.1.

important

Non-2FA users

If you enable 2FA protection using the instructions in this guide, then by default local users who do not belong to your AD domain will not be able to log in. To allow local users to log in even if 2FA protection is enabled, please follow the additional steps described in the topic of Other RADIUS configurations - see Non-2FA users (user accounts not using 2FA).

 

Make sure your Linux computer is joined to the Active Directory domain. Navigate to YaST > Hardware > Network Settings > Hostname/DNS and enter the IP address of the Domain Controller (DC) machine and the Active Directory domain name. Next, navigate to YaST > Network Services > Windows Domain Membership. Enter the AD domain name you want your Linux computer to join in the Domain or Workgroup field and click OK. You will be prompted to enter the domain administrator's username and password.

note

Note

The process of joining a domain will differ across Linux distributions.

 

PAM Authentication Module

1.Download PAM RADIUS tar.gz from http://freeradius.org/pam_radius_auth/

2.Build the .so library by executing the following commands in a terminal window:
 
./configure
make
 
Depending on the output of the configure command, dependencies might have to be installed.
 
sudo zypper install gcc make pam-devel
 

3.Copy the built library to the PAM modules
 
sudo cp pam_radius_auth.so /lib/security/
 

4.Create a server configuration file at /etc/raddb/  named server. In that file, enter the details of the RADIUS server in the following form:
<radius server>:<port> <shared secret> <timeout in seconds>
 
For example:
1.1.1.1 test 30

See INSTALL for security recommendations for the configuration file and USAGE for parameters that can be passed to the library. For example you can use the 'debug' parameter to identify potential problems.

 

Incorporating the PAM module

PAM modules may vary across Linux distributions. The incorporation scenarios also depend on the Desktop environment used on the particular Linux machine. In this example, Xfce was used on an OpenSUSE machine, therefore the PAM module was incorporated into /etc/pam.d/xdm (see examples below). It is possible that some modules may not prompt for a second factor as shown in the example below.

Incorporation of the PAM module into SSH in Linux is done similarly to the the way it is done in Mac OS - see Incorporating the PAM module into SSH in the Mac OS - configuration topic. However, the line of code to be added to the /etc/pam.d/sshd file is different:

auth required /lib/security/pam_radius_auth.so

 

Incorporating the PAM module into console login

In order to incorporate the PAM module into console login, edit /etc/pam.d/login and add the following line at the end of the file::

auth required /lib/security/pam_radius_auth.so

Below is an example of console login while secured via ESA :

pam-esa_challenge-linux-console_login

 

Incorporating the PAM module into Xfce desktop login

To incorporate the PAM module into Xfce desktop login, we have to edit /etc/pam.d/xdm and add the following line at the end of the file:

auth required /lib/security/pam_radius_auth.so

Below is an example of Xfce desktop login while secured via ESA:

pam-esa_challenge-linux_xdm