The WatchGuard Integration article for Linux PAM covers configuring settings and includes information on Ubuntu. If you are using RedHat 8.x / Rocky Linux 8.x and other derivatives, you can configure the portion on the Linux server by doing the following:
- Log in to your Linux server as a user with sudo access.
- Run this command: sudo yum install wget gcc pam pam-devel make
- To get the source code for PAM Radius run this command: wget https://github.com/FreeRADIUS/pam_radius/archive/release_2_0_0.tar.gz
- Extract, build and install the module by doing running the following commands:
- tar xvfz release_2_0_0.tar.gz
- cd pam_radius-release_2_0_0
- ./configure
- sudo make
- sudo cp pam_radius_auth.so /lib64/security/
- sudo mkdir /etc/raddb
- sudo cp pam_radius_auth.conf /etc/raddb/server
- sudo chmod 600 /etc/raddb/server
- Edit the /etc/ssh/sshd_config file to enable PAM authentication in ssh service.
- Make sure ChallengeResponseAuthentication yes is enabled and does not include a #.
- Ensure that UsePAM yes is enabled and does not include a #.
- Save and quit.
- Edit the /etc/pam.d/sshd file.
- Add the line auth sufficient pam_radius_auth.so at the beginning of the file to enable PAM with Radius in PAM module.
- Save and quit.
- Edit the /etc/raddb/server file:
- Add a line that specifies the IP address of the RADIUS server (AuthPoint Gateway) and shared secret. The added line should be written as server:port SharedSecret timeout (s) (10.0.1.201:1812 12345678 60).
- Save and quit.
- Type $ sudo service sshD restart and press Enter to restart the ssh service.
- Type $ sudo adduser <user name> and press Enter to create a user on the Linux server. You must create a user with the same user name in AuthPoint.
All other steps are as documented in the WatchGuard article.