create SSH accounts using RADIUS pam
Janis Heller
janis.heller at outlook.de
Mon Sep 5 17:30:21 CEST 2016
After some rethinking, it would be possible to use REST for auth and for accounting ldap? Because rest would not be able to return the needed informations for account?
All the best;
Am 5. September 2016 16:39:00 MESZ, schrieb Alan DeKok <aland at deployingradius.com>:
On Sep 5, 2016, at 10:29 AM, Janis Heller <janis.heller at outlook.de> wrote:
I use the REST module of RADIUS to validate login requests (username & password).
Now I would like my users to be able to login to some servers using SSH. Their accounts should be all very unprivileged (just for SSH tunneling).
After setting up the pam sshd module I recognized the login would be only possible by creating a new user with an empty password by using:
adduser testuser
on the server. Is there a way to prevent this and allow users to login in case of RADIUS accepted their username & password.
See the PAM and NSS documentation. This is really outside of FreeRADIUS.
I already searched for this problem:
http://serverfault.com/questions/567628/authenticate-radius-user-using-pam-and-ssh
Setting up ldap would be a bit too much for this I think, isn’t there an easier way?
No.
I took a look at writing an nss_radius plugin years ago. It wasn't simple. NSS made PAM look sane.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list