Hi, I am looking for a Linux client side HOW-TO for radius authentication without requiring presence of the login id on client side locally. The following is the authentication scenario I am trying: 1) I have freeRadius server installed on a RedHat Linux machine 2) I would like users logging into other RedHat Linux machines in our network to have their login/passwd authenticated using freeRadius server (for login, su, ssh, telnet, ftp etc. ways of accessing local client machines in the network) 3) I do not want to use LDAP on server or client side 4) I am using PAM and have experimented with pam_radius_auth module without success 5) The problem I am facing is that the login id has also to be defined locally on client Linux machines --- otherwise, for example, the su command fails indicating that the id does not exist (if I create the login id on client locally, then it queries freeRadius server) 6) I do not want to add "ldap" to nsswitch.conf file of client --- just want to stick to radius for now In summary, is there a Linux client side HOW-TO for radius authentication without requiring presence of the login id on client side locally? Regards ... J. C. Desai
Hello, what are you using as backend for freeradius server? If you use LDAP as backend for freeradius, I really do NOT see the need for the use of RADIUS protocol to do authentication for such services ( login, ssh etc ). It would be easier if you implement auth against LDAP directory for such services, and use RADIUS where it can serve the purpose ( full AAA ) ! Regards, Edvin Seferovic _____ From: freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.org [mailto:freeradius-users-bounces+edvin.seferovic=kolp.at@lists.freeradius.or g] On Behalf Of J. C. Desai Sent: Freitag, 01. September 2006 21:34 To: freeradius-users@lists.freeradius.org Subject: HOW-TO for Linux radius client Hi, I am looking for a Linux client side HOW-TO for radius authentication without requiring presence of the login id on client side locally. The following is the authentication scenario I am trying: 1) I have freeRadius server installed on a RedHat Linux machine 2) I would like users logging into other RedHat Linux machines in our network to have their login/passwd authenticated using freeRadius server (for login, su, ssh, telnet, ftp etc. ways of accessing local client machines in the network) 3) I do not want to use LDAP on server or client side 4) I am using PAM and have experimented with pam_radius_auth module without success 5) The problem I am facing is that the login id has also to be defined locally on client Linux machines --- otherwise, for example, the su command fails indicating that the id does not exist (if I create the login id on client locally, then it queries freeRadius server) 6) I do not want to add "ldap" to nsswitch.conf file of client --- just want to stick to radius for now In summary, is there a Linux client side HOW-TO for radius authentication without requiring presence of the login id on client side locally? Regards ... J. C. Desai
J. C. Desai wrote:
I am looking for a Linux client side HOW-TO for radius authentication without requiring presence of the login id on client side locally.
Please no HTML to the list. I already tried to implement a similar setup but never found all the pieces of the puzzle.
5) The problem I am facing is that the login id has also to be defined locally on client Linux machines --- otherwise, for example, the su command fails indicating that the id does not exist (if I create the login id on client locally, then it queries freeRadius server)
Indeed, the missing piece is the libnss-radius. I think you'll have to write your own. I've already looked at it and it's not very hard to do. My tests indicate that you need to implement only 2 functions to get login, xdm, ssh, etc. working on the client machines. enum nss_status _nss_radius_getpwnam_r(const char *name, struct passwd *result, char *buffer, size_t buflen); enum nss_status _nss_radius_getpwuid_r(uid_t uid, struct passwd *result, char *buffer, size_t buflen); More info in the glibc manual: http://www.gnu.org/software/libc/manual/html_node/Name-Service-Switch.html -- Nicolas Baradakis
Nicolas Baradakis <nbk@sitadelle.com> wrote:
My tests indicate that you need to implement only 2 functions to get login, xdm, ssh, etc. working on the client machines.
enum nss_status _nss_radius_getpwnam_r(const char *name, struct passwd *result, char *buffer, size_t buflen); enum nss_status _nss_radius_getpwuid_r(uid_t uid, struct passwd *result, char *buffer, size_t buflen);
I took a look at doing this a few years ago, and got lost in the morass of glibc internals. Apparently PAM can do UID/GID/etc mappings, too, but it's not documented. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (4)
-
Alan DeKok -
J. C. Desai -
Nicolas Baradakis -
Seferovic Edvin