How to configure sudo for two-factor authentication using pam-radius on Ubuntu and CentOS

Attackers frequently use lost, stolen, weak or default credentials to escalate their privileges after they have infiltrated your network. While two-factor authentication can greatly reduce infiltration, there are other means of gaining entry such as malware.  This tutorial shows how to add radius to sudo for Centos 7 and Ubuntu 14.04 for two-factor authentication with the WiKID Strong Authentication server.  Using pam-radius is nice because it allows you to insert a radius server, such as Freeradius or NPS on Windows, so you can perform authorization in your directory and then authentication against a separate two-factor auth server.  Managing your users in a central directory is a very good security practice.   Note that since we are using RADIUS, this basic setup works for all enterprise-class 2FA systems.

Configure sudo on Centos/RHEL for two-factor authentication

We will start on RHEL/Centos 7.   Install the pre-requisites:

sudo yum -y install make gcc pam pam-devel

Get the latest PAM RADIUS code (1.4 as of this writing):


Build the library:

tar -xzvf pam-radius-x.x.x.tar.gz
cd pam-radius-x.x.x
sudo ./configure
sudo make

Copy the library to the proper location:

cp /lib/security/

Or for 64bit:

cp /lib64/security/

Create the configuration directory and copy the configuration file under the name 'server':

sudo mkdir /etc/raddb
cp pam_radius_auth.conf /etc/raddb/server

Edit /etc/raddb/server and add your radius server IP and the shared secret to this file.

# server[:port] shared_secret      timeout (s)       secret             1
radius_server_IP    secret       3
# having localhost in your radius configuration is a Good Thing.

(Note that while we want the radius in the loop eventually, you can also user your WiKID server as the radius server, add this Centos box as a network client on WiKID, restart WiKID and be done or at least you can test this way.  It's always a good idea to do some small tests along the way, just be sure to remove them.)

Next, we need to tell sudo to use radius.  Edit the file /etc/pam.d/sudo and replace "auth       include      system-auth" with:

auth       required

That's it for the Centos/RHEL 7 box.  The same setup work for 5 and 6 too.

Configure sudo on Ubuntu for two-factor authentication

Next up is the Ubuntu 14.04 server.  First, install pam-radius:

sudo apt-get install libpam-radius-auth

Configure it with the NPS server as well by editing /etc/pam_radius_auth.conf.  So that it is the same as above:

# server[:port] shared_secret      timeout (s)       secret             1
radius_server_IP   secret       3
# having localhost in your radius configuration is a Good Thing.

Edit your /etc/pam.d/sudo file and add the line ' auth sufficient' above the comm-auth line:

auth       required readenv=1 user_readenv=0
auth       required readenv=1 envfile=/etc/default/locale user_readenv=0
auth sufficient
@include common-auth
@include common-account
@include common-session-noninteractive

That's is for the Ubuntu server.   

Now, anytime an admin attempts to use sudo, they must enter their one-time passcode.   PAM will forward the username and OTP to your radius server or your WiKID server for validation.  

Using two-factor authentication for administrative accounts is a powerful tool for securing your network. It may even become part of the PCI DSS requirements.  

Share this page:

3 Comment(s)

Add comment


From: External Gorge

This setup requires local account to be presented on the Linux box. Is it possible to eliminate the need of local accounts?

From: nowen

Interesting point.  Something like this?

From: DaveGlasses

Can this be used in conjunction with pam_tally2 to lock accounts after failed attempts?