Questions pam_radius and accounting logs

Junk XL junkxl at yahoo.com
Mon Jul 24 20:42:35 CEST 2017 

What i expected to see was the sudo commands issued, rather than just a start/stop packet and 'sudo' in the NAS identifier.
However i understand PAM's limitations, and half expected that to be the issue, but wasn't sure if enabling something like pam_tty_audit was required.

Thank you for the clarification.

Kind Regards,

GR



________________________________
From: Alan DeKok <aland at deployingradius.com>
To: Junk XL <junkxl at yahoo.com>; FreeRadius users mailing list <freeradius-users at lists.freeradius.org> 
Sent: Monday, July 24, 2017 11:15 AM
Subject: Re: Questions pam_radius and accounting logs



On Jul 24, 2017, at 11:34 AM, Junk XL via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> I am trying to utilize the pam_radius client (1.4.0) on several RHEL 6 servers for authentication and accounting with ssh and sudo, against a Cisco ACS (ver 5.5)

  That should work.  It' just RADIUS.

> 
> The authentication works as expected for both, however i am not seeing what i would expect in the accounting. 
> 
> My first question is, is there a setting that i am missing that enables pam_radius to send the full accounting back to the ACS?

  No.

> I do see the start/stop packets, however i only ever see the "sudo" issued as a NAS identifier, and never anything else.

  Because PAM doesn't do that.  PAM just does login, logout, and session times.  PAM doesn't get called every time the user runs a command.

> Am i just incorrect in my assumptions on what i think i should be seeing with the accounting?

  I don't know what you think you should be seeing.  You haven't said what you expect to see.


> I know with other devices, I can see the full accounting commands issued, but i do not know if that is a limitation with Linux and pam_radius, or if i have something set incorrectly.

  What are "full accounting commands"?

  If you expect to see every command run by the user, it won't work.  PAM doesn't do that.  No amount of poking pam_radius will make it work.

  Alan DeKok.

More information about the Freeradius-Users mailing list