HOW TO CONFIGURE OCTOPUS AUTHENTICATOR FOR LINUX SSH

You are here:
< Back

Preface

This document describes the configurations required for RADIUS integration between the Octopus Authenticator and Linux SSH session.

Octopus Authenticator RADIUS Service Configuration

  • Login to Octopus Authenticator Management Console
  • Select Services from the left pane
  • Select Add Service
  • Click RADIUS service template

Tab-1: General Information

The following field and values are displayed

Field nameField value
Service nameCheck Point VPN
IssuerREHL Linux
DescriptionLinux SSH Octopus Authentication
Service statusEnable
Display icon

Tab-2: Parameters

The following fields and values are displayed

Field nameField value
LoginUsername
RADIUS key nameNAS-Identifier
RADIUS key valuesshd
+ Add additional parameterDo not add any parameters

Tab-3: Sign On

The following fields and values are displayed

Field nameField value
Multi Factor Authentication (MFA)Off (default)
Sign on MethodRADIUS
SecretThe Designated Linux RADIUS Secret code
Custom Messagee.g. “SSH Linux Authentication”

Step-4: Users

To configure the users of the service

  • Select users either from “Local Users” or “LDAP Users” lists
  • You can select either:
    • A group of users to import, by clicking on the dot next to one of the folders
    • An individual user to import, by clicking on the dot next to that user

The corresponding dot will then be colored blue. When you select only some of the users in the group,
the dot adjacent to the group will be colored partially.

After saving the settings, the selected users will be enrolled in the service.

  • Click “Save Settings

Designated Linux Server SSH Configuration

  • Login to your Linux Server with Admin credentials

Step-1: Extra Packages for Enterprise Linux and PAM RADIUS Client

  • Install EPEL Release:
    yum install epel-release
  • Install PAM RADIUS client:
    yum install pam_radius.x86_64
  • Verify successful RPMs’ installation

Important Note: On the Octopus Authenticator (RADIUS) Server, assure the Linux firewall allows UDP port 1812

  • Verify Linux Firewall open’s ports:
    sudo firewall-cmd -- list-port
  • Add the RADIUS UDP port 1812:
    sudo firewall-cmd -- add-port udp/1812

Step-2: PAM RADIUS Configuration [Designated Linux Server]

    • Edit /etc/pam_radius.conf:
      vi /etc/pam_radius.conf
    • Look for “# server[:port] shared_secret timeout (s)” line
    • Below the server:[port] line, add the RADIUS Octopus Authentication Server’s details:
      < Octopus Authenticator IP address >:1812 < Radius shared Secret > 60
    • Save and exit the file

Step-3: SSH Daemon Configuration [Designated Linux Server]

  • Edit /etc/pam.d/sshd:
    vi /etc/pam.d/sshd
  • At top of the file, add the following line: “auth sufficient /usr/lib64/security/pam_radius_auth.so”
  • Save and exit the file

  • Restart SSH daemon:
    systemctl restart sshd.service

Step 4: Selinux Configuration [Designated Linux Server]

  • Edit /etc/Selinux/config file
  • Search for
    SELINUX=enforcing

    line and replace it to

    SELINUX=disable
  • Save and Exit the file

Step 5: Add a Linux user [Designated Linux Server]

  • Add a user:
    adduser < username >
  • Define user’s password:
    passwd < username >

Note: Assure that the same username is registered for the Octopus Authenticator SSH Linux Service under Users’ tab.

Step 6: Perform SSH login [Designated Linux Server]

  • Open an SSH connection towards the Designated Linux Server
  • You’ll be prompt for “login as:” → Type your username
  • You’ll be also prompt for “<[email protected]’s> password:” → Type any free password
  • Then you’ll be notified for authentication request via your mobile Octopus Authenticator application
  • Verify successful SSH Linux login