proposal for using filter-id attribute for authorization with pam_radius
Hi list, we're using for OPT authentification a Vasco Identikey server. Unfortunately the software is rather limited, e.g. it is not possible to define access rules based on groups. The server is able to perform a RADIUS password challenge but only as "PIN and OTP are correct" - not exactly the kind of authentication I expected... The only way to get something like grouping with this product is out-sourcing to the client: Vasco cann add a filter-id attribute to the response, if the client is capable of interpreting such responses it is possible to group users (though with strings on a per-user base). As we plan to use the OTP tokens to secure our SSH service I searched for a method to authorize users not only with RADIUS but additionally the feature to check for specific filter-ids in the response - it seems no one has ever implemented such a thing. Anyway, I extended pam_radius* so it is possible to use filter-ids for authentication - the patches for 1.3.17 are attached. Would an extension like this useful for the vanilla release of pam_radius? Greetings Renke *) I am _not_ a programmer, the stuff I changed should be checked/rewritten/used only as concept...
Renke Brausse <rbrausse@gmx.com> wrote:
we're using for OPT authentification a Vasco Identikey server. Unfortunately the software is rather limited, e.g. it is not possible to define access rules based on groups.
...then proxy the request through FreeRADIUS before it gets to your infernal Vasco Identikey box and have FreeRADIUS make something useful out of it all.
As we plan to use the OTP tokens to secure our SSH service I searched for a method to authorize users not only with RADIUS but additionally the feature to check for specific filter-ids in the response - it seems no one has ever implemented such a thing.
Eugh, something I cobbled together in a week at work, a system that lets you put all your SSH public keys in LDAP without having to patch OpenSSH: <selfless-self-promo> http://www.digriz.org.uk/lpkfuse </selfless-self-promo> Additionally I did a proof-of-concept to myself of an RFC2289 OTP authentication framework with a perl module hooked into FreeRADIUS. Worked for SSH (via pam_radius_auth) and I got it working for WPA Enterprise networks too. It's something I probably will get around to finishing in the July, but if you hire a good perl coder you probably are looking at only a week's worth of work and I can hand you a code dump of my work to 'seed' them with (only if the code is then released afterwards GPLed).
Anyway, I extended pam_radius* so it is possible to use filter-ids for authentication - the patches for 1.3.17 are attached.
Would an extension like this useful for the vanilla release of pam_radius?
This sort of thing should be sorted out with groups (centrally maintained via LDAP if you can find the time to go the full distance). Put the following into /etc/pam.d/sshd: ---- account required pam_access.so accessfile=/etc/ssh/access.conf ---- Create the following file like so: ---- $ cat /etc/ssh/access.conf + : foobar : ALL - : ALL : ALL ---- Now you have a box where the only people who can SSH in *have* to be in the 'foobar' group. Cheers -- Alexander Clouter .sigmonster says: More are taken in by hope than by cunning. -- Vauvenargues
participants (2)
-
Alexander Clouter -
Renke Brausse