Ignore privileged users in PAM_RADIUS auth
Hello all, I'm developing PAM policy for a server in which my organization doesn't have control of the RADIUS infrastructure. This particular system is using the RADIUS PAM module only for authentication purposes -- an account must be present on the system in order for a login to be successful. The users of this system must never have access to two accounts -- one we'll call 'system' the other is 'root'. The PAM configuration has 'PAM_RADIUS auth sufficient' prior to Unix auth. I'm concerned that if a RADIUS administrator adds an account for 'root' or 'system' in the RADIUS infrastructure, the user will then get unauthorized "root" or "system" access. Has anyone on the list encountered a similar issue? After inspecting the RADIUS PAM module code, it appears that there aren't any hooks for disabling RADIUS auth for certain users. This appears to be a rather trivial feature to implement, if I add this functionality to the module, is there any interest in my patch? Any other ideas? Thanks!
Bob Probert wrote:
Has anyone on the list encountered a similar issue? After inspecting the RADIUS PAM module code, it appears that there aren't any hooks for disabling RADIUS auth for certain users.
From what I know of PAM, that can be done via the policy rules in PAM.
This appears to be a rather trivial feature to implement, if I add this functionality to the module, is there any interest in my patch? Any other ideas?
I'd prefer to keep it outside of the module, and in the PAM config. Alan DeKok.
this is pam related configuration.. take look of this example: # Prevent the following 1 rule from applying to root auth [default=1 success=ignore] pam_succeed_if.so uid > 0 # Configure PAM to use RADIUS with possible to local fallback, only if radius/proxy server is down.. auth [success=done new_authtok_reqd=done ignore=ignore default=die] pam_radius_auth.so localifdown 2014-05-14 21:43 GMT+03:00 Bob Probert <bruisebrotherprobert@gmail.com>:
Hello all,
I'm developing PAM policy for a server in which my organization doesn't have control of the RADIUS infrastructure. This particular system is using the RADIUS PAM module only for authentication purposes -- an account must be present on the system in order for a login to be successful.
The users of this system must never have access to two accounts -- one we'll call 'system' the other is 'root'. The PAM configuration has 'PAM_RADIUS auth sufficient' prior to Unix auth. I'm concerned that if a RADIUS administrator adds an account for 'root' or 'system' in the RADIUS infrastructure, the user will then get unauthorized "root" or "system" access.
Has anyone on the list encountered a similar issue? After inspecting the RADIUS PAM module code, it appears that there aren't any hooks for disabling RADIUS auth for certain users. This appears to be a rather trivial feature to implement, if I add this functionality to the module, is there any interest in my patch? Any other ideas?
Thanks!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Eero and Alan, this is exactly the information I was looking for. I had a feeling that a new "feature" wasn't going to be necessary, thanks for the confirmation. On Wed, May 14, 2014 at 12:05 PM, Eero Volotinen <eero.volotinen@iki.fi>wrote:
this is pam related configuration..
take look of this example:
# Prevent the following 1 rule from applying to root auth [default=1 success=ignore] pam_succeed_if.so uid > 0 # Configure PAM to use RADIUS with possible to local fallback, only if radius/proxy server is down.. auth [success=done new_authtok_reqd=done ignore=ignore default=die] pam_radius_auth.so localifdown
2014-05-14 21:43 GMT+03:00 Bob Probert <bruisebrotherprobert@gmail.com>:
Hello all,
I'm developing PAM policy for a server in which my organization doesn't have control of the RADIUS infrastructure. This particular system is using the RADIUS PAM module only for authentication purposes -- an account must be present on the system in order for a login to be successful.
The users of this system must never have access to two accounts -- one we'll call 'system' the other is 'root'. The PAM configuration has 'PAM_RADIUS auth sufficient' prior to Unix auth. I'm concerned that if a RADIUS administrator adds an account for 'root' or 'system' in the RADIUS infrastructure, the user will then get unauthorized "root" or "system" access.
Has anyone on the list encountered a similar issue? After inspecting the RADIUS PAM module code, it appears that there aren't any hooks for disabling RADIUS auth for certain users. This appears to be a rather trivial feature to implement, if I add this functionality to the module, is there any interest in my patch? Any other ideas?
Thanks!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Bob Probert -
Eero Volotinen