Adding MFA for GDM on GNOME using PAM RADIUS

Note: This integration does not support the use of Push. You will need to use OTP.

 

Setting up MFA for RADIUS is a requirement for this integration. Please see this article for more information.

Run apt-get install libpam-radius-auth to install the PAM Radius Authentication Module (pam_radius_auth).

Configure GDM for RADIUS Authentication by editing /etc/pam.d/gdm and adding the following line below the line #%PAM-1.0:

auth        required     /lib/security/pam_radius_auth.so

Note: If you need more verbose output, you can add the word debug to this line so that it reads:

auth        required     /lib/security/pam_radius_auth.so debug

Note: If you want the system to fail over to regular password authentication if the network connection is down, you can add the word localifdown to this line so that it reads: (Note that this represents a possible attack vector)

auth        required     /lib/security/pam_radius_auth.so localifdown

Note: If you comment out the following line, the system will not attempt to authenticate via standard Un*x password authentication, and use RADIUS Authentication via AuthAnvil only.

@include common-auth
  1. Edit the file /etc/pam_radius_auth.conf (/etc/raddb/server on some systems) and under the line:
127.0.0.1       secret      1

Add the line:

IP_address(:port)      shared_secret      timeout

Where IP_address is the IP address (and port, if using a RADIUS port other than the port defined in /etc/services) of your RADIUS server, shared_secret is the shared secret and timeout is the timeout value in seconds.
Log out of the system and return to the GDM Authentication Prompt 

Enter your MFA token in the password field and click Log in. Shortly, a second password field will appear. Enter your regular Linux password in this field and click Log In. You will be delivered to your desktop.

Note: This configuration only protects GDM. A terminal logon or remote logon will still use the regular Linux password only. Due to the configurable nature of PAM, authentication on any login method can be strengthened by editing the appropriate configuration files.

 

Other Configurations

For assistance with other configurations, including manually building and configuring the module, check out FreeRADIUS.org’s usage guide for the PAM Authentication and Accounting module.This guide includes a sample configuration file for other configurations, as well as other usage instructions.

Have more questions? Submit a request

0 Comments

Article is closed for comments.