How to Enable GreenRADIUS Two-Factor Authentication for SSH Users in RedHat

Introduction

This document explains how to enable Two-Factor-Authentication (2FA) for SSH users in RedHat using GreenRADIUS virtual appliance.

Prequisites

  • This document assumes that GreenRADIUS Virtual Appliance is already set up with users imported in a domain from Active Directory/LDAP and also tokens are assigned to users
  • RedHat host 32 or 64 bit

Steps to be Performed on RedHat Host

  1. Login to RedHat host using any SSH client programs like PuTTY
  2. Change current directory to "/tmp" directory using the following command: cd /tmp/
  3. Download the "pam_radius_auth.so" file using the following command: sudo wget -O "pam_radius_auth.so" "https://files.greenrocketsecurity.com/pamradiuscentos"
  4. For 32 bit RedHat host, copy the 'pam_radius_auth.so' file to '/lib/security/' using the following command: sudo cp pam_radius_auth.so /lib/security/
  5. For 64 bit RedHat host, copy the 'pam_radius_auth.so' file to '/lib64/security/' using the following command: sudo cp pam_radius_auth.so /lib64/security/
  6. Edit file '/etc/pam.d/sshd' and add the following line at the top of this file: auth required pam_radius_auth.so
  7. Comment the line "auth include password-auth" as follows and save the file: #auth include password-auth
  8. Create a directory "raddb" in "/etc/" folder using the following command: sudo mkdir /etc/raddb/
  9. Change current directory to "raddb" directory and create a file named "server" using the following commands: cd /etc/raddb/ sudo touch server
  10. Edit the file "/etc/raddb/server" and add the following details into this file (each separated by a space): <<GreenRADIUS Virtual Appliance IP>><<Shared Secret>><<Timeout(seconds)>> E.g. If your GreenRADIUS Virtual Appliance IP address is "10.51.0.100" and shared secret is "test," you can use the following configuration: 10.51.0.100 test 3
  11. Add a new user without password to the server using the following command: useradd -d /home/<<user name>> -m <<user name>> E.g. If you want to add user say "john," you can use the following command to add user: useradd -d /home/john -m john Note: The username added must also be present in any one of the domains created in GreenRADIUS Virtual Appliance.
  12. Restart SSH service using the following command: sudo service sshd restart

Steps to Be Performed On GreenRADIUS Virtual Appliance

  1. Login to GreenRADIUS admin console using any web browser.
  2. Go to the 'Domain' tab and select the domain in which the user (in our case "John") is present.
  3. Go to "Configuration" tab
  4. Fill in the details of the RedHat host in the "Add Client" section:
    • e.g. if your RedHat host's IP address is "10.51.0.50" and shared secret will be same as shared secret mentioned in step 10 of previous (i.e. "test" in our case), hence add RADIUS client as shown in the image below and click 'Add:'

Test SSH Login on RedHat Host Using Two-Factor Authentication

  1. Login to RedHat host using any SSH client programs like PuTTY
  2. Type username and hit enter
  3. You will be prompted for the password. At the prompt for the password, enter the user's password configured in Active Directory/LDAP and immediately followed by an OTP from a token assigned to the user (in our case "John").
  • e.g. if username is "John," test login as shown in the image below:

Debugging

For debugging, use following command on RedHat host: tail -f /var/log/secure

SSH Login with Prompt for OTP

If you want to enable SSH login to prompt for OTP, follow the below steps.

Additional Steps to Be Performed On RedHat Host

  1. First follow the steps performed in the above section "Steps to be performed on RedHat host"
  2. Edit the "/etc/ssh/sshd_config"
  3. Find the line "ChallengeResponseAuthentication no" and change it to "ChallengeResponseAuthentication yes"
  4. Restart SSH service using the following command: sudo service sshd restart

Steps to be Performed on GreenRADIUS

  1. Log in to the GreenRADIUS web admin console
  2. Go to the "Global Configuration" tab and click on "General"
  3. Under "General Configuration" section select "OTP Input Method" as "Prompt For OTP (RADIUS only)" and click "Save"

Web Analytics Made Easy - StatCounter

Updated 2025-11-08
© 2025 Green Rocket Security Inc. All rights reserved.