Setting up centralized authentication for Linux SSH users
Alan DeKok
aland at deployingradius.com
Mon Jun 22 19:52:07 CEST 2015
On Jun 22, 2015, at 12:00 PM, Daniel Bray <dbray925 at gmail.com> wrote:
> I was thinking that a Freeradius solution would be a simple approach to get
> all the SSH devices (Linux and Cisco) pointing to a single server for
> authentication purposes.
RADIUS doesn't do UID, GID, home directory, etc. So it's probably not the correct choice for logging into Linux servers.
> Here comes the issues I face. I got everything setup on a Linux server,
> and using MySQL as the backend. I'm also using daloRADIUS as the web
> frontend for management. I was able to get the test Linux servers PAM
> configured to point to the Freeradius server, and I can authenticate
> myself, and the other admins. However, it appears that, by default, all
> users can SSH into any of the NAS devices I've configured.
The default configuration of the server is to authenticate users. Which means all known users are allowed in.
> This is the
> main issues I'm trying to solve. How, exactly, do I configure Freeradius
> to only allow certain vendor accounts SSH access into specific NAS devices?
You have to set up explicit lists of who's allowed to log in where. Put the data into an SQL table, and write a SELECT statement. Then, put that SELECT statement into the FreeRADIUS configuration.
e.g. if you have a table of "user, NAS", you can do something like this:
if (!"%{SELECT %{User-Name} from nas_control_table WHERE NAS = '%{NAS-IP-Address}' AND USER = '%{User-Name}'}) {
reject
}
Which looks up the user by name and NAS IP. If the SQL statement returns nothing, reject.
You'll have to create a correct schema, table, and query, of course. The above is just an example.
Alan DeKok.
More information about the Freeradius-Users
mailing list