SSH-login authentication, using Active Directory credentials.
Hi; For a long time now, I have been trying to unify the login credentials, in a heterogeneous environment. While I am aware of the few available options, I have decided against them, for varied reasons. In the last few days, I have been able to produce the effect which I desired, using pam_radius_auth and IAS. All is well, and I am able to SSH-login using my Active directory login credentials. But before I take this to production, I would like to know if this approach is safe - the IAS setting that works says "Unencrypted authentication (PAP)".
From here http://lists.cistron.nl/pipermail/freeradius-users/2006-July/055010.html, I understand that pam_radius_auth 'encrypts' the password. But if a user has the privileges to change the /etc/raddb/server file (and point it to a freeradius server), wouldn't he/she be able to siphon off the credentials?
Our setup would disallow direct 'root' logins, over SSH. However, once the user logs in using his/her credentials, they would then be allowed to do a sudo or a privileges escalation. Thereby, opening the possibility of a /etc/raddb/server edit. I know worse things can happen with superuser privileges; however, I am not worried of the bad that can happen to the client machines. Is there a better way, using radius? Please suggest. If this query is a rerun, pointers/references would do. Thank you. Regards, suraj. ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
--- tnt@kalik.co.yu wrote:
Is there a better way, using radius?
No. Once user is authenticated radius has nothing to do with them (you say that they can increase privileges after authentication). Can't you put them in jail. Yeah, I would eventually do that, if there is no 'better way'. But usually the App. administrators complain that they are crippled by insufficient privileges. So I am looking for something more creative ... :) And so, what I really meant by a 'better way' was like a way to tell pam_radius_auth, to use a certificate instead of a PSK! ... or something like that ...
Hey, but thanks Ivan, for the suggestion - will lock them up, if I can't find a better way! Regards, suraj. ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
suraj shankar wrote:
I understand that pam_radius_auth 'encrypts' the password. But if a user has the privileges to change the /etc/raddb/server file (and point it to a freeradius server), wouldn't he/she be able to siphon off the credentials?
Yes.
Our setup would disallow direct 'root' logins, over SSH. However, once the user logs in using his/her credentials, they would then be allowed to do a sudo or a privileges escalation. Thereby, opening the possibility of a /etc/raddb/server edit.
So... why are you giving people root access if you don't trust them?
I know worse things can happen with superuser privileges; however, I am not worried of the bad that can happen to the client machines.
Is there a better way, using radius? Please suggest. If this query is a rerun, pointers/references would do. Thank you.
Any solution would have exactly the same security issues. Alan DeKok.
--- Alan DeKok <aland@deployingradius.com> wrote:
Any solution would have exactly the same security issues. Yes; I can understand and appreciate that. Thanks, Alan.
Regards, suraj. ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Suraj, You're better of kerberizing your unix environment and join them with AD. this way your can have a fully single sign on environment. including samba file share without entering username and passwords. This is what you need to do. 1) install SFU3.5 on all your DC's 2) install openldap and mit kerberos on all your linux boxen 3) install samba 4) use samba "net join " command to add your host to AD 5) install kerberized putty done, enjoy On Jan 25, 2008 7:57 AM, suraj shankar <surajvshankar@yahoo.com> wrote:
--- Alan DeKok <aland@deployingradius.com> wrote:
Any solution would have exactly the same security issues. Yes; I can understand and appreciate that. Thanks, Alan.
Regards, suraj.
____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Donny Jekels -
suraj shankar -
tnt@kalik.co.yu