pam authentication and Radius

[svacaroaia]

Hi,
Is it possible to use pam_radius with PROXMOX ?

We currently have Yubikey ( 2 factor authentication) and we would like to use it on our proxmox cluster too
Since is using PAM I am assuming there should be no issues but...assumtions are the mother of all major mistakes ...so any hint/example/suggestions will be appreciated

Steps involved are ( these are working fine for al our Linux servers ) :

- sudo apt-get install libnss-ldapd libpam-radius-auth ldap-utils

- edit /etc/nslcd.conf and add/modify pertinent data

- add to pam.d/common-auth:
auth [success=done new_authtok_reqd=ok ignore=ignore default=bad] /lib/security/pam_radius_auth.so localifdown


-edit /etc/pam_radius_auth.conf and add the Radius secret

- edit pam.d/sshd

- edit /etc/nsswitch



Thanks
Steven

 

[starnetwork]

Hi Steven,
it's already work for you?

Best Regards,
Star Network.

 

[svacaroaia]

Yes , it is
Thanks for following up
Steven

 

[starnetwork]

Hi Steven,
thank for the answer
this is the working proccess:
Steps involved are ( these are working fine for al our Linux servers ) :

- sudo apt-get install libnss-ldapd libpam-radius-auth ldap-utils

- edit /etc/nslcd.conf and add/modify pertinent data

- add to pam.d/common-auth:
auth [success=done new_authtok_reqd=ok ignore=ignore default=bad] /lib/security/pam_radius_auth.so localifdown


-edit /etc/pam_radius_auth.conf and add the Radius secret

- edit pam.d/sshd

- edit /etc/nsswitch

can you please give more detail, like how-to do post?

Best Regards,
Star Network.

 

[svacaroaia]

Hi,
I found that Proxmox doesn't actually care how your PAM is setup - it will use whatever you have so , as long as your debian server is able to take advantage of Radius you will only need to add users to proxmox (pveum is your friend)

If you think it will be useful to community, I can certainly post my config

Steven

 

[starnetwork]

Hi Steven,
I think that it will be useful,
For example just me testing it for 4 different people
also, yubico yubikey devices don't have Results on Proxmox forum Besides this post
it's should help as good source of information

thanks again,
Star Network.

 

[svacaroaia]

here it is

1 Install necessary packages
aptitude install libnss-ldapd libpam-radius-auth ldap-utils sudo

2. configure sudo - makesure it is working

3. configure LDAP
/etc/nslcd.conf
test using "getent passwd" - should return all users available on LDAP

4 configure PAM
add to /etc/pam.d/common-auth
auth [success=done new_authtok_reqd=ok ignore=ignore default=bad] /lib/security/pam_radius_auth.so localifdown
add to /etc/pam.d/sshd auth sufficient pam_radius_auth.so
add to pam.d/common-session session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
edit /etc/pam_radius_auth.conf and add the following radius server name and secret
radius.tor.xxx.xx.com My_Secret

6. configure radius
add an entry in /etc/freeradius/clients.conf for every server
client 10.10.xx.xx {
secret = My_Secret
nastype = other
shortname = bs02-hst02.tor
}
make usre there is a huntgroup created for the respective subnet
#PROXMOX servers
ptnet Client-IP-Address =~ "^10\.10\.xx\..*$"


restart freradius


test by logging in on a different console - if test successfull move to next step , if NOT troubleshoot !!!!!

7 configure proxmox to use PAM Radius
add an entry for every user in /etc/pve/user.cfg ...or use pveum ( see example below)

cat /etc/pve/user.cfg user:john@pam:1:0:::::
userete@pam:1:0:::::
user:root@pam:1:0:::support@xxxxxxx.com::
user:svacaroaia@pam:1:0:Steven:Vacaroaia:svacaroaia@medavail.com::
group:support:msoto@pam,acarvalho@pam,svacaroaia@pam,amcculloch@pam:support group:
acl:1:/supportVEAdmin:

CAVEATS
make sure you keep a separate root console open to the servers you are configuring at all times so you could fix / undo it
You might not be able to add nodes to cluster - in that case disable radius by commenting out the entry from common-auth

 

[starnetwork]

Very helpful, thank you Steven!

Best Regards,
Star Network.