On 29/06/15 14:20, Kristoffer Dalby wrote:
Hi
I am researching the possibility of using freeradius/eduroam as authentication backend through PAM for SSH.
This far in my research, i have run into a few questions that i cant quite find the correct answer to.
Currently i cannot understand if the PAM module is able to handle the password as a hash, or if it is able to use secure communication such as EAP-TLS.
Also, as eduroam is a hierarchy of radius servers, where the authentication request is forwarded until it reaches the right server, it requires the credentials are encrypted so only the user and the correct server can "see" them. I do quite understand if this is even possible to achieve from the PAM side of my use case.
Can anyone provide some clarification on these cases? My English is not the best, so if my explanations is hard to understand, please let me know, and i will try again.
This won't really work. Eduroam "home" sites define which authentication mechanisms their users will use. Those are typically multi-pass challenge-response, tunneled over TLS. PAM doesn't support that kind of exchange, and most PAM apps don't either. Instead, you should investigate the "abfab" IETF WG technologies: https://tools.ietf.org/wg/abfab/ In brief, this is an EAP-over-GSSAPI mechanism which is then passed off to the Eduroam proxy hierarchy; you can then use GSSAPI-for-SSH patches to login over SSH using Eduroam. But plain PAM won't help, AIUI.