create SSH accounts using RADIUS pam
I use the REST module of RADIUS to validate login requests (username & password). Now I would like my users to be able to login to some servers using SSH. Their accounts should be all very unprivileged (just for SSH tunneling). After setting up the pam sshd module I recognized the login would be only possible by creating a new user with an empty password by using: adduser testuser on the server. Is there a way to prevent this and allow users to login in case of RADIUS accepted their username & password. I already searched for this problem: http://serverfault.com/questions/567628/authenticate-radius-user-using-pam-a... Setting up ldap would be a bit too much for this I think, isn’t there an easier way? All the best;
On Sep 5, 2016, at 10:29 AM, Janis Heller <janis.heller@outlook.de> wrote:
I use the REST module of RADIUS to validate login requests (username & password). Now I would like my users to be able to login to some servers using SSH. Their accounts should be all very unprivileged (just for SSH tunneling). After setting up the pam sshd module I recognized the login would be only possible by creating a new user with an empty password by using:
adduser testuser
on the server. Is there a way to prevent this and allow users to login in case of RADIUS accepted their username & password.
See the PAM and NSS documentation. This is really outside of FreeRADIUS.
I already searched for this problem:
http://serverfault.com/questions/567628/authenticate-radius-user-using-pam-a...
Setting up ldap would be a bit too much for this I think, isn’t there an easier way?
No. I took a look at writing an nss_radius plugin years ago. It wasn't simple. NSS made PAM look sane. Alan DeKok.
After some rethinking, it would be possible to use REST for auth and for accounting ldap? Because rest would not be able to return the needed informations for account? All the best; Am 5. September 2016 16:39:00 MESZ, schrieb Alan DeKok <aland@deployingradius.com>: On Sep 5, 2016, at 10:29 AM, Janis Heller <janis.heller@outlook.de> wrote: I use the REST module of RADIUS to validate login requests (username & password). Now I would like my users to be able to login to some servers using SSH. Their accounts should be all very unprivileged (just for SSH tunneling). After setting up the pam sshd module I recognized the login would be only possible by creating a new user with an empty password by using: adduser testuser on the server. Is there a way to prevent this and allow users to login in case of RADIUS accepted their username & password. See the PAM and NSS documentation. This is really outside of FreeRADIUS. I already searched for this problem: http://serverfault.com/questions/567628/authenticate-radius-user-using-pam-a... Setting up ldap would be a bit too much for this I think, isn’t there an easier way? No. I took a look at writing an nss_radius plugin years ago. It wasn't simple. NSS made PAM look sane. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Sep 5, 2016, at 11:30 AM, Janis Heller <janis.heller@outlook.de> wrote:
After some rethinking, it would be possible to use REST for auth and for accounting ldap? Because rest would not be able to return the needed informations for account?
I think you're asking the entirely wrong question. The PAM "account" functionality has nothing to do with the RADIUS "accounting" functionality. You cannot get UID / GID information to a Linux system via PAM and then RADIUS accounting packets. You MUST configure a local user. Either on disk, or through some other NSS module. Alan DeKok.
You could use some pam modules that can create homedirectory? 5.9.2016 5.30 ip. "Janis Heller" <janis.heller@outlook.de> kirjoitti:
I use the REST module of RADIUS to validate login requests (username & password). Now I would like my users to be able to login to some servers using SSH. Their accounts should be all very unprivileged (just for SSH tunneling). After setting up the pam sshd module I recognized the login would be only possible by creating a new user with an empty password by using:
adduser testuser
on the server. Is there a way to prevent this and allow users to login in case of RADIUS accepted their username & password. I already searched for this problem:
http://serverfault.com/questions/567628/authenticate- radius-user-using-pam-and-ssh
Setting up ldap would be a bit too much for this I think, isn’t there an easier way?
All the best; - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Would I only neeed to create a homedirectory or is there more I need to do to be able to login with radius login details? -Isn't there a way to use REST for accounting (I don't use accounting section in radius at the moment) too? Regards; Am 5. September 2016 17:52:22 MESZ, schrieb Eero Volotinen <eero.volotinen@iki.fi>: You could use some pam modules that can create homedirectory? 5.9.2016 5.30 ip. "Janis Heller" <janis.heller@outlook.de> kirjoitti: I use the REST module of RADIUS to validate login requests (username & password). Now I would like my users to be able to login to some servers using SSH. Their accounts should be all very unprivileged (just for SSH tunneling). After setting up the pam sshd module I recognized the login would be only possible by creating a new user with an empty password by using: adduser testuser on the server. Is there a way to prevent this and allow users to login in case of RADIUS accepted their username & password. I already searched for this problem: http://serverfault.com/questions/567628/authenticate- radius-user-using-pam-and-ssh Setting up ldap would be a bit too much for this I think, isn’t there an easier way? All the best; - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Would I only neeed to create a homedirectory or is there more I need to do to be able to login with radius login details? -Isn't there a way to use REST for accounting (I don't use accounting section in radius at the moment) too?
You should be able to override the default REST policy by calling it like so: rest.authorize (to call the authorize section of a REST module) :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Would I need to override the authorize or the account section? Currently I only use the authentication section (I only use radius to validate if username/password are correct at the moment). All the best; Am 5. September 2016 18:36:38 MESZ, schrieb Stefan Paetow <Stefan.Paetow@jisc.ac.uk>: Would I only neeed to create a homedirectory or is there more I need to do to be able to login with radius login details? -Isn't there a way to use REST for accounting (I don't use accounting section in radius at the moment) too? You should be able to override the default REST policy by calling it like so: rest.authorize (to call the authorize section of a REST module) :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk<http://jisc.ac.uk> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
you can look at http://puszcza.gnu.org.ua/projects/pam-modules Eero Volotinen <eero.volotinen@iki.fi> wrote: > You could use some pam modules that can create homedirectory? > > 5.9.2016 5.30 ip. "Janis Heller" <janis.heller@outlook.de> kirjoitti: > > > I use the REST module of RADIUS to validate login requests (username & > > password). > > Now I would like my users to be able to login to some servers using SSH. > > Their accounts should be all very unprivileged (just for SSH tunneling). > > After setting up the pam sshd module I recognized the login would be only > > possible by creating a new user with an empty password by using: > > > > adduser testuser > > > > on the server. Is there a way to prevent this and allow users to login in > > case of RADIUS accepted their username & password. > > I already searched for this problem: > > > > http://serverfault.com/questions/567628/authenticate- > > radius-user-using-pam-and-ssh > > > > Setting up ldap would be a bit too much for this I think, isn’t there an > > easier way? > > > > All the best; > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/ > > list/users.html > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
participants (5)
-
Alan DeKok -
Eero Volotinen -
Janis Heller -
Stefan Paetow -
Zeus Panchenko