An old thread I know, but I am in the process of setting up a few NAS boxes at work and our policy requires ssh to be protected with 2-factor authentication.
Therefor I quickly installed a freenas vm today, to testdrive it before commiting ourselves to freeNAS.
Our 2-factor authentication is done via radius and LinOTP to generate the TOTP codes and using google authenticator mobile app.
Users are authenticated via Active Directory ( Samba4 PDC's )
So I needed to get Radius auth working for SSH. Here's how I got it working in about 30 minutes ( if you already have a running jail , it will be considerably less :) )
EDIT: I forgot to mention, I did this on a FreeNAS-9.3-STABLE-201602031011 build
- From the freeNAS GUI, create a new jail (Menu -> Jails ) Click the "Add Jail" button
This will take a while.
- Select the newly created jail and open a shell to it .
- Install gcc and wget
Code:
pkg install gcc wget
- Download the freeradius pam module source, unpack it and change directory to the pam_radius directory.
Code:
wget ftp://ftp.freeradius.org/pub/radius/pam_radius-1.4.0.tar.gz
tar -zxvf pam_radius-1.4.0.tar.gz
cd pam_radius-1.4.0
- One line of code needs to be changed in order for pam_radius to compile on freeBSD
- Open the file src/pam_radius_auth.h and replace the line
with
- Once saved, configure and run make
- Scp the pam module file ( pam_radius_auth.so ) to your freeNAS box.
Code:
scp pam_radius_auth.so <IP OF YOUR freeNAS Box>:/var/tmp/
- Ssh into your freeNAS box and move the file from /var/tmp to /usr/lib
Code:
mv /var/tmp/pam_radius_auth.so /usr/lib/
- Create the directory /etc/raddb
- Create the file /etc/raddb/server.
This file should contain a list of radius servers , with their shared secret and a timeout
# Server secret timeout
172.25.1.2 MySecret 3
172.25.1.3 MySecret 3
Code:
chmod 600 /etc/raddb/server
- Before actually change the pam entry for the ssh daemon, test it first with , for example, sudo
- in /etc/pam.d/sudo , insert the line
auth required pam_radius_auth.so force_prompt prompt=Token conf=/etc/raddb/server
Before the line that reads
auth sufficient pam_opie.so no_warn no_fake_prompts
The force_prompt is not needed if you dont use radius for 2-factor authentication.
For the complete list of parameters, please check http://freeradius.org/pam_radius_auth/
- As a regular user (make sure radius knows this user too!), try to sudo.
- If you manage to get sudo working with radius authentication, lets try ssh.
- Just repeat step 13 for the file /etc/pam.d/sshd
If you dont need 2-factor authentication with radius, then I think that is all you need to enable radius auth on sshd.
- If you need 2-factor authentication, you need to tell sshd to use a challenge/response authentication.
- In the freeNAS admin GUI, go to Services ->Control Services and open the ssh settings (click on the wrench icon next to the SSH service )
- Click on 'Advanced Mode' and in the "Extra Options" text area, enter the following:
ChallengeResponseAuthentication yes
- Restart the SSHD service .
- You should now have a working radius authentication for SSH.
- You can now delete the jail created in the first step if you want to.