How to configure sudo for two factor authentication using pam radius on Ubuntu and Cent. OSAttackers frequently use lost, stolen, weak or default credentials to escalate their privileges after they have infiltrated your network. While two factor authentication can greatly reduce infiltration, there are other means of gaining entry such as malware. This tutorial shows how to add radius to sudo for Centos 7 and Ubuntu 1. Wi. KID Strong Authentication server. Using pam radius is nice because it allows you to insert a radius server, such as Freeradius or NPS on Windows, so you can perform authorization in your directory and then authentication against a separate two factor auth server. Managing your users in a central directory is a very good security practice. Note that since we are using RADIUS, this basic setup works for all enterprise class 2. FA systems. Configure sudo on CentosRHEL for two factor authentication. We will start on RHELCentos 7. Install the pre requisites sudo yum y install make gcc pam pam devel. Get the latest PAM RADIUS code 1. Build the library tar xzvf pam radius x. Copy the library to the proper location cp pamradiusauth. Or for 6. 4bit cp pamradiusauth. Create the configuration directory and copy the configuration file under the name server sudo mkdir etcraddbcp pamradiusauth. Infinite Abundance Program. Edit etcraddbserver and add your radius server IP and the shared secret to this file. IP    secret       3 having localhost in your radius configuration is a Good Thing. Note that while we want the radius in the loop eventually, you can also user your Wi. KID server as the radius server, add this Centos box as a network client on Wi. KID, restart Wi. KID and be done or at least you can test this way. Its always a good idea to do some small tests along the way, just be sure to remove them. Next, we need to tell sudo to use radius. Edit the file etcpam. Thats it for the CentosRHEL 7 box. The same setup work for 5 and 6 too. Configure sudo on Ubuntu for two factor authentication. Next up is the Ubuntu 1. First, install pam radius sudo apt get install libpam radius auth. Configure it with the NPS server as well by editing etcpamradiusauth. So that it is the same as above server port sharedsecret      timeout s1. IP   secret       3 having localhost in your radius configuration is a Good Thing. Edit your etcpam. Thats is for the Ubuntu server. Now, anytime an admin attempts to use sudo, they must enter their one time passcode. Tutorials How to configure sudo for twofactor authentication using pamradius on Ubuntu and CentOS. When running CentOS or RHEL, or Scientific Linux in a VM on VMware ESXi, you may want to install VMware Tools. Modern Linux distributions include the drivers. PAM will forward the username and OTP to your radius server or your Wi. KID server for validation. Using two factor authentication for administrative accounts is a powerful tool for securing your network. It may even become part of the PCI DSS requirements.