Hi Everyone. we would like to know if there's a way to reject access to the local users, that's because we discover that if you have a system account you may login on the radius server. I have the teory that if we use the rlm_passwd module we can reject the access to the "local group", I search on the man rlm_passwd file and it has examples of the configuration. The only thing that I don't understand is how radius know which file to check. I mean if I put a file with our group information, how can I tell radius to check that file? I have the group file on the /etc/ and the smbpasswd example on /etc/raddb/modules/ I've checked all the raddb directory files looking for any option without luck. What am I doing wrong? Any advice will be appreciated. Alfonso.
Is the "unix" module uncommented in the authorize section of your configuration? If so, then FreeRADIUS is authenticating the users in the /etc/password file. # # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the # passwd module in radiusd.conf. # # unix Tim -----Original Message----- From: freeradius-users-bounces+tim.sylvester=networkradius.com@lists.freeradius.or g [mailto:freeradius-users-bounces+tim.sylvester=networkradius.com@lists.freer adius.org] On Behalf Of Alfonso Alejandro Reyes Jiménez Sent: Thursday, June 23, 2011 9:30 PM To: FreeRadius users mailing list Subject: ..::Restrict local users::.. Hi Everyone. we would like to know if there's a way to reject access to the local users, that's because we discover that if you have a system account you may login on the radius server. I have the teory that if we use the rlm_passwd module we can reject the access to the "local group", I search on the man rlm_passwd file and it has examples of the configuration. The only thing that I don't understand is how radius know which file to check. I mean if I put a file with our group information, how can I tell radius to check that file? I have the group file on the /etc/ and the smbpasswd example on /etc/raddb/modules/ I've checked all the raddb directory files looking for any option without luck. What am I doing wrong? Any advice will be appreciated. Alfonso. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
That did the trick. Thanks. El 24/06/2011 12:34 a.m., Tim Sylvester escribió:
Is the "unix" module uncommented in the authorize section of your configuration? If so, then FreeRADIUS is authenticating the users in the /etc/password file.
# # Pull crypt'd passwords from /etc/passwd or /etc/shadow, # using the system API's to get the password. If you want # to read /etc/passwd or /etc/shadow directly, see the # passwd module in radiusd.conf. # # unix
Tim
-----Original Message----- From: freeradius-users-bounces+tim.sylvester=networkradius.com@lists.freeradius.or g [mailto:freeradius-users-bounces+tim.sylvester=networkradius.com@lists.freer adius.org] On Behalf Of Alfonso Alejandro Reyes Jiménez Sent: Thursday, June 23, 2011 9:30 PM To: FreeRadius users mailing list Subject: ..::Restrict local users::..
Hi Everyone.
we would like to know if there's a way to reject access to the local users, that's because we discover that if you have a system account you may login on the radius server.
I have the teory that if we use the rlm_passwd module we can reject the access to the "local group", I search on the man rlm_passwd file and it has examples of the configuration. The only thing that I don't understand is how radius know which file to check.
I mean if I put a file with our group information, how can I tell radius to check that file? I have the group file on the /etc/ and the smbpasswd example on /etc/raddb/modules/
I've checked all the raddb directory files looking for any option without luck.
What am I doing wrong?
Any advice will be appreciated.
Alfonso. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2011/6/24 Alfonso Alejandro Reyes Jiménez <conesh@gmail.com>:
Hi Everyone.
we would like to know if there's a way to reject access to the local users, that's because we discover that if you have a system account you may login on the radius server.
IIRC that's the default setup on most system.
I have the teory that if we use the rlm_passwd module we can reject the access to the "local group", I search on the man rlm_passwd file and it has examples of the configuration. The only thing that I don't understand is how radius know which file to check.
Why don't you just remove/mark out all lines with "passwd", "unix", and "pam" on sites-available/default? One of those three is responsible for allowing access to system users on your server. -- Fajar
participants (3)
-
Alfonso Alejandro Reyes Jiménez -
Fajar A. Nugraha -
Tim Sylvester