在数据中心中,可能有许多Linux机器,由管理员团队进行管理。这些管理员通过SSH访问这些服务器。如果希望使用一个集中的位置来管理这些管理员的身份验证。那么为了实现这一点,可以使用FreeRADIUS服务器。FreeRADIUS是一个功能强大的开源工具,可支持多种身份验证协议,提供更灵活的身份验证管理选项。通过配置FreeRADIUS服务器,您可以集中管理管理员的身份验证,提高数据中心的安全性和效率。
接下来将向你展示如何使用FreeRADIUS进行SSH身份验证。
拓扑图
前提条件:
- 一台提供RADIUS服务的FreeRADIUS服务器,如何配置可参考FreeRADIUS+LDAP+Google Auth的双重验证
- 一台客户端【Ubuntu 22.04】,sudo权限的用户
- 两台设备之间可以互通
实施:
1. 安装必要的软件包,以便客户端可以通过以下命令与FreeRADIUS进行交互
apt-get install libpam-radius-auth freeradius-utils -y
root@ud-Virtual-Machine:/home/ud# apt-get install libpam-radius-auth freeradius-utils -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
freeradius-utils is already the newest version (3.0.26~dfsg~git20220223.1.00ed0241fa-0ubuntu3.1).
The following NEW packages will be installed:
libpam-radius-auth
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 25.4 kB of archives.
After this operation, 84.0 kB of additional disk space will be used.
Get:1 http://mirrors.tuna.tsinghua.edu.cn/ubuntu jammy/universe amd64 libpam-radius-auth amd64 2.0.0-1 [25.4 kB]
Fetched 25.4 kB in 8s (3,342 B/s)
Selecting previously unselected package libpam-radius-auth.
(Reading database ... 182939 files and directories currently installed.)
Preparing to unpack .../libpam-radius-auth_2.0.0-1_amd64.deb ...
Unpacking libpam-radius-auth (2.0.0-1) ...
Setting up libpam-radius-auth (2.0.0-1) ...
2. 修改配置文件
i. 编辑/etc/pam_radius_auth.conf文件,并注释掉默认的4行。然后添加一行,指定RADIUS服务器的IP地址和共享密钥。
root@ud-Virtual-Machine:/home/ud# cat /etc/pam_radius_auth.conf
# pam_radius_auth configuration file. Copy to: /etc/raddb/server
#
......
# Note: specifying a source_ip field is mandatory due to config parsing,
# but if not needed it can be just set to 0.
#
# server[:port] shared_secret timeout (s) source_ip vrf
#127.0.0.1 secret 3
#other-server other-secret 5 192.168.1.10 vrf-blue
#[2001:0db8:85a3::4]:1812 other6-secret 3 [2001:0db8:85a3::3] vrf-red
#other-other-server other-other-secret 5 0 vrf-blue
10.2.112.4:1812 testing123 30
#
# having localhost in your radius configuration is a Good Thing.
#
# See the INSTALL file for pam.conf hints.
ii. 编辑/etc/ssh/sshd_config文件,启用ssh服务中的PAM认证。
root@ud-Virtual-Machine:/home/ud# cat /etc/ssh/sshd_config
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
......
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication yes
......
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
......
iii. 编辑/etc/pam.d/sshd文件,启用带有Radius的PAM模块。
root@ud-Virtual-Machine:/home/ud# cat /etc/pam.d/sshd
# PAM configuration for the Secure Shell service
#Radius authentication
auth sufficient pam_radius_auth.so
......
root@ud-Virtual-Machine:/home/ud#
3. 重启SSHD服务
service ssh restart
4. 添加本地账户
root@ud-Virtual-Machine:/home/ud# adduser knightyang --disabled-password --quiet --gecos ""
sudo同时也需要使用FreeRADIUS认证的话需要修改以下:
1. 编辑/etc/pam.d/sudo文件,启用带有Radius的PAM模块
root@ud-Virtual-Machine:/home/ud# cat /etc/pam.d/sudo
#%PAM-1.0
auth sufficient pam_radius_auth.so
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
@include common-session-noninteractive
root@ud-Virtual-Machine:/home/ud#
2. 给用户添加sudo权限
root@ud-Virtual-Machine:sudo usermod -aG sudo knightyang
