#前置作業
#---------------------------------------------------------------------------------------------------------
#關閉防火牆
systemctl disable firewalld
systemctl stop firewalld
#關閉 SElinux
setenforce 0
getenforce
修改 SElinux config 設定開機不要啟動SElinux
vim /etc/selinux/config
2.安裝freeradius跟google-authenticator
yum -y install freeradius freeradius-utils
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y google-authenticator
3.修改radiusd.conf
vim /etc/raddb/radiusd.conf
修改
user = root
group = root
4.修改/etc/raddb/sites-enabled/default
vim /etc/raddb/sites-enabled/default
找到
# pam
取消註解如下
pam
5.freeradius啟用pam模組
ln -s /etc/raddb/mods-available/pam /etc/raddb/mods-enabled/pam
6.修改/etc/raddb/users,使用者預設使用PAM驗證
vim /etc/raddb/users
DEFAULT Auth-Type := PAM
7.修改/etc/raddb/clients.conf,設定要驗證的來源主機
vim /etc/raddb/clients.conf
client myserver {
ipaddr = 192.168.1.0/24
secret = test123
require_message_authenticator = no
}
8.修改PAM設定
vim /etc/pam.d/radiusd
將auth include password-auth註解
#auth include password-auth
並且在下面補上這一行
auth requisite pam_google_authenticator.so
9.重新啟動freeradius
systemctl enable radiusd
systemctl start radiusd
10.建立一個使用者來進行測試,並且幫使用者套上google驗證
useradd radtest
su - radtest
google-authenticator
預設回答都是y
補充:如果要整合linux本機帳密
#%PAM-1.0
#auth include password-auth
auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
account required pam_nologin.so
account include password-auth
#password include password-auth
session include password-auth