Sorry for the spam, but.. I forgot a part in my current "user add" process: I then have to have the user login via SSH (after having them download Putty) so that they can change their password. Then, I have to disallow them access to SSH (because they shouldn't be logging directly into the servers). On Fri, Sep 5, 2008 at 10:41 PM, Jesse Stone <jstone1999@gmail.com> wrote:
Would Freeradius be the correct technology for this?
For example,
Currently, for me to allow someone access to my OpenVPN server and Samba I have to first add them as a standard user with the useradd script. Then I have use smbpasswd -e to enable their account for Samba. If I wanted that user to also be able to SSH into another server I would have to repeat this process. After about 3 users I forgot who has access to what. This is the process I want to simply. I want 1 place/script that prompts for every app/server that I want to restrict access to: Samba, SSH, Shell access, X, ect. I want this infromation stored in a standard SQL type database though so I can easilly manipulate users once they've been created on the fly. Perferrably within 1 table like a provided in my last email for an example simple user management style.
What do large companies that have many users/linux machines use to handle user administration?
-Jesse
On Fri, Sep 5, 2008 at 5:30 PM, Edvin Seferovic <edvin.seferovic@kolp.at>wrote:
It is a tricky concept, but it can be done with a lot of effort. Probably not for all applications ( since it doesn't make any sense for some of them ). Maybe you should consider making a real network DMZ. The concept of DMZ allows you to define and allow/disallow access to services from the Internet and those from the local LAN. You DO NOT make things or services available "to the DMZ" !
Start simple !
Regards,
E:S
*From:* freeradius-users-bounces+edvin.seferovic=kolp.at@ lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic<freeradius-users-bounces%2Bedvin.seferovic> =kolp.at@lists.freeradius.org] *On Behalf Of *Jesse Stone *Sent:* Samstag, 06. September 2008 01:50 *To:* FreeRadius users mailing list *Subject:* Re: Freeradius Usage
Thank you for the quick response. I may not have mentioned this previously but I am by no means a linux/networking expert. The company I work for is pro-MS. Recently, I got the urge to get back into Linux and here I am.
My thinking (in regards to network structure) was that I wanted applications intended to the public as far away from my local lan as posible. The local lan requires the app server though- OpenVPN, Samba (as a PDC), misc other things so I wanted it available to the local lan but not to the DMZ.
My main questions though are with Freeradius. My setup is for "hobby" purposes only and already I would have difficulty telling you exactly which users have access to what.
I want to using a technology like Freeradius or LDAP create 1 central place on the app server that EVERYTHING would authenication to. In a perfect world, the end result would be that I could type something like this:
select %user% from permissionsDB
and be returned something like this:
SSH: NO, OpenVPN: YES, Samba: %Specific group% (which indicates shares available), Shell Access: No, ect
Basically, I want a setup where I can easilly scale upwards without having to "teach" each new application how to use a DB. Freeradious also can authenicate my wireless users when would also be great as for all I know, half my bandwidth is being used by my neighbors.
-Jesse
On Fri, Sep 5, 2008 at 4:34 PM, Edvin Seferovic <edvin.seferovic@kolp.at> wrote:
Hi,
excuse me for asking, but why dont you set up the AppServer in your DMZ ? you could have ( what I call ) the T – structure
< --- INTERNET --> GATEWAY ( server1 ) <---> LOCAL LAN
I
I DMZ
I
SERVER2 + APPServer
It depends how your users use the gateway and how are they suppose to connect to the Internet.
Regards,
E:S
*From:* freeradius-users-bounces+edvin.seferovic=kolp.at@ lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic<freeradius-users-bounces%2Bedvin.seferovic> =kolp.at@lists.freeradius.org] *On Behalf Of *Jesse Stone *Sent:* Samstag, 06. September 2008 01:25 *To:* FreeRadius users mailing list *Subject:* Freeradius Usage
Hi All,
I am new to this mailing list and am about to ask a probably very silly question. Please feel free to direct me to resources that'll help me answer them.
I want to setup the following:
Gateway [server1]
- nic1 = Internet
- nic2 = DMZ [server2]
- nic3 = Router w/ Wireless -> App Server [Server3] (FREERADIUS SERVER HERE) -> Local Lan
I read a lot about both Freeradius and LDAP and cannot determine if either can accomplish my goals.
What I want is:
1) 1 central place where all user authenication takes place: SSH, Shell Access, Samba, OpenVPN, Mumble, Any other app that requires user administration.
2) This information stored in a SQL type database so that I can build my own custom apps to report on user usage, performance ect.
3) My router has wireless and I have enabled the security features. I would still like authenication to take place before a wireless user is allowed on the network.
For example,
Currently, I have this: Router w/ Wireless -> App Server [Server3] + Local Lan
I want this: Router w/ Wireless -> App Server [Server3] -> Local Lan
Is Freeradius the best approach for my needs? Do I need anything else?
-Jesse
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html