Description

This article describes how to configure FortiAuthenticator to integrate two-factor authentication into the Linux remote SSH login, using the pluggable authentication module (PAM) for SSH, extending its capability with the RADIUS protocol.

FortiToken Mobile is used to provide the Token code or one-time password (OTP), and Ubuntu will be used as a client machine/SSH server.

Note:

The configuration may differ in other flavors or versions of Linux.

It is assumed that Linux is preconfigured with routing already and that the user that is used for SSH already exists on this Linux OS. The bare minimum for adding a user would be adduser newusername.

Scope

FortiAuthenticator and Linux.

Solution

Linux configuration.

Install the PAM radius package. Add another Linux-repository, if the package cannot be found

forti1@linux-lab ~$ sudo apt-get install libpam-radius-auth

Edit /etc/pam_radius_auth.conf and add the RADIUS server secret and IP:

root@linux-lab:~# nano /etc/pam_radius_auth.conf
# server[:port]      shared_secret    timeout (s) source_ip
#127.0.0.1           secret           3
192.168.38.3:1812    fortinet         5           192.168.95.66

In this example, the RADIUS server is at 192.168.38.3 and the shared secret is 'fortinet'.

Edit /etc/pam.d/sshd to inject Radius authentication, add auth sufficient pam_radius_auth.so to the top of the file:

root@linux-lab:~# nano /etc/pam.d/sshd
# PAM configuration for the Secure Shell service

auth sufficient pam_radius_auth.so

Restart the sshd service:

root@linux-lab:~# service ssh restart

Or:

root@linux-lab:~# /etc/init.d/ssh restart

FortiAuthenticator Configuration.

Add the RADIUS client:

RADIUS Client configuration

Configure Radius Policy:

Configure the user account on FortiAuthenticator, in this case a user on a remote LDAP server:

Verification with any SSH client. In this example, it is the SSH client in the Microsoft PowerShell:

• Login as: username.
• Password: password+tokencode concatenated.

For example, taking the password fortinet and the token code 123456, the password to be entered would be fortinet123456.
This is entered here as an example in the following SSH login (the password is typically not shown when typed):

PS C:\Users\forti1> ssh forti2@192.168.95.66
(forti2@192.168.95.66) Password: <fortinet123456>

Last login: Fri Aug 1 12:43:02 2025 from 192.168.95.11
forti2@linux-lab:~$ 

For user experience, it may be advisable to split the prompt for password and OTP, so as not to concatenate a complicated password and the 6-digit OTP. To do so:

Enable challenge-response mechanism. Additional configuration is needed on the Linux server
Edit the /etc/ssh/sshd_config file and change the option KbdInteractiveAuthentication from 'no' to 'yes'.
In other Linux flavors, this function may also be referred to by ChallengeResponseAuthentication. In that case, change that value from 'no' to 'yes'.

For example:

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication yes

Restart the sshd service with one of these commands:

root@linux-lab:~# service ssh restart
root@linux-lab:~# /etc/init.d/ssh restart

Verification with any SSH client. In this example, it is the SSH client in Microsoft PowerShell:

Login flow in this configuration:

• Enter username (or use it in the SSH options) and on prompt, the password.
• FortiAuthenticator will send an Access-Challenge back with a message included: '+Enter token code or no code to send a notification to your FortiToken Mobile' and the SSH client will show it as a prompt.

This offers two options:

• Push notification and approval.
• Enter the OTP manually.

The '+' indicates, in the case of FortiAuthenticator, that FortiAuthenticator is ready for FortiToken Mobile push authentication. 
To trigger a push notification to the phone, either enter 'push' instead of the OTP and press enter, or simply press enter with a blank value.

This will cause the RADIUS client to send an Access-Request with an empty value, or 'push' as a response, which would trigger FortiAuthenticator to send a notification to the phone with that activated token. More information about this function can be found in this KB article: Technical Tip: FortiToken Push on FortiAuthenticator: operation flow and details  

For example, triggering the push notification with the value of 'push':

PS C:\Users\forti1> ssh forti2@192.168.95.66
(forti2@192.168.95.66) Password:
(forti2@192.168.95.66) +Enter token code or no code to send a notification to your FortiToken Mobilepush

Last login: Fri Aug 1 12:48:09 2025 from 192.168.95.11

forti2@linux-lab:~$ 

An example with the manual entry of the 6-digit OTP:

PS C:\Users\forti1> ssh forti2@192.168.95.66
(forti2@192.168.95.66) Password:
(forti2@192.168.95.66) +Enter token code or no code to send a notification to your FortiToken Mobile379222

Last login: Fri Aug 1 12:49:05 2025 from 192.168.95.11
forti2@linux-lab:~$

Debug logs can be found at https: //fac-ip/debug/radius, if debugging is enabled (with the respective button on the top of that page).
The main UI logs would show like this:

date=2025-08-01 time=11:08:29+0000 oid=749326 logid=20002 cat="Event" subcat="Authentication" level="information" nas="192.168.95.66" action="Authentication" status="Success" msg="Remote LDAP user authentication from (null) with FortiToken successful" user="forti2"
date=2025-08-01 time=11:08:23+0000 oid=749325 logid=20300 cat="Event" subcat="Authentication" level="information" nas="192.168.95.66" action="Authentication" status="Pending" msg="Remote LDAP user authentication partially done, expecting FortiToken" user="forti2"

Important note:
The PAM default configuration will be to allow local user authentication as a fallback if the remote RADIUS server is down or the authentication fails. This may lead to a bypass of the configured two-factor authentication as since this failed, the Linux PAM will allow and use the password to authenticate the locally created user.
Having different passwords for remote and local users could be a good practice to distinguish those events, as troubleshooting is difficult. If the OTP is wrong, the user may still be logged in; whether the fault is to be found at FortiAuthenticator or the client, it will require troubleshooting (a good choice will be a RADIUS packet capture to understand the exchange between FortiAuthenticator and the client).

Consider changing the configuration to disallow local authentication. This may lock the user out of the system if the password or token configuration is incorrect.

This would require a change to the /etc/pam.d/sshd and EITHER:

• change the previously added 'auth
• line from 'sufficient' to 'required', such as:

# PAM configuration for the Secure Shell service
auth required pam_radius_auth.so

The expected behavior of this setting is:
If an incorrect password or OTP is supplied, the authentication will simply restart, asking again for the password of the user.

Alternatively comment '@include common-account', for example:

# Standard Un*x authorization.
# @include common-account

Using this method will lead to an immediate authentication failure in case of an incorrect password or OTP supplied by the user as the local user authentication will not be performed.