Hi I am researching the possibility of using freeradius/eduroam as authentication backend through PAM for SSH. This far in my research, i have run into a few questions that i cant quite find the correct answer to. Currently i cannot understand if the PAM module is able to handle the password as a hash, or if it is able to use secure communication such as EAP-TLS. Also, as eduroam is a hierarchy of radius servers, where the authentication request is forwarded until it reaches the right server, it requires the credentials are encrypted so only the user and the correct server can "see" them. I do quite understand if this is even possible to achieve from the PAM side of my use case. Can anyone provide some clarification on these cases? My English is not the best, so if my explanations is hard to understand, please let me know, and i will try again. -- Kristoffer Dalby Summer intern Abels gt. 5- Teknobyen NO-7465 Trondheim
On 29 Jun 2015, at 14:20, Kristoffer Dalby <kradalby@kradalby.no> wrote:
Hi
I am researching the possibility of using freeradius/eduroam as authentication backend through PAM for SSH.
Have a look at moonshot http://www.jisc.ac.uk/rd/projects/moonshot https://community.jisc.ac.uk/groups/moonshot Regards Scott Armitage
On 06/29/2015 03:29 PM, Scott Armitage wrote:
Have a look at moonshot
I actually have looked into Moonshot a bit, and the though that it was created because my presented use case is not possible crossed my mind. However, my research of moonshot have resulted in the impression that it is quite early stage and requires a lot of custom patches to get well known software to work with it. In addition OSX is not supported at all which we require in addition to Windows and Linux. Of course correct me if i am wrong, my impressions are based on what seems to be a half-finished wiki with some outdated information. -- Kristoffer Dalby Sommerintern Abels gt. 5- Teknobyen NO-7465 Trondheim
However, my research of moonshot have resulted in the impression that it is quite early stage and requires a lot of custom patches to get well known software to work with it. In addition OSX is not supported at all which we require in addition to Windows and Linux.
Well, it's not *that* early-stage. The only software that requires patches currently is OpenSSH (the server). Using the version of FreeRADIUS that is on the Moonshot repository will give you access to the trust router infrastructure, but you can easily set up an infrastructure that does not rely on TLS (and instead uses UDP), provided you disable some of the functionality (such as channel bindings). But the point of the Moonshot technology is to help guarantee that the institution that accepted the authn request for the user *is* in fact the user's home institution. And unfortunately yes, we had to prioritise certain platforms, but Mac is the next priority because we've had several requests from research collaborations (including a Nordic one) to please make Moonshot available on Mac. :-)
Of course correct me if i am wrong, my impressions are based on what seems to be a half-finished wiki with some outdated information.
The wiki (http://wiki.moonshot.ja.net) is a continual work in progress... If there's a page that doesn't seem to have any information you need, please get in touch with me off-list and I'll be happy to either clarify, assist or refer your request further along :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
Hi,
Have a look at moonshot
..and this is the main WIKI https://wiki.moonshot.ja.net/display/HOME/Home alan
On 29/06/15 14:20, Kristoffer Dalby wrote:
Hi
I am researching the possibility of using freeradius/eduroam as authentication backend through PAM for SSH.
This far in my research, i have run into a few questions that i cant quite find the correct answer to.
Currently i cannot understand if the PAM module is able to handle the password as a hash, or if it is able to use secure communication such as EAP-TLS.
Also, as eduroam is a hierarchy of radius servers, where the authentication request is forwarded until it reaches the right server, it requires the credentials are encrypted so only the user and the correct server can "see" them. I do quite understand if this is even possible to achieve from the PAM side of my use case.
Can anyone provide some clarification on these cases? My English is not the best, so if my explanations is hard to understand, please let me know, and i will try again.
This won't really work. Eduroam "home" sites define which authentication mechanisms their users will use. Those are typically multi-pass challenge-response, tunneled over TLS. PAM doesn't support that kind of exchange, and most PAM apps don't either. Instead, you should investigate the "abfab" IETF WG technologies: https://tools.ietf.org/wg/abfab/ In brief, this is an EAP-over-GSSAPI mechanism which is then passed off to the Eduroam proxy hierarchy; you can then use GSSAPI-for-SSH patches to login over SSH using Eduroam. But plain PAM won't help, AIUI.
On 06/29/2015 03:35 PM, Phil Mayers wrote:
In brief, this is an EAP-over-GSSAPI mechanism which is then passed off to the Eduroam proxy hierarchy; you can then use GSSAPI-for-SSH patches to login over SSH using Eduroam.
Thank you, i have seen the abbreviation, but not actually looked into it. I will start researching this tomorrow, as the workday is finished for now. Thank you. -- Kristoffer Dalby Sommerstudent Abels gt. 5- Teknobyen NO-7465 Trondheim
Hi,
Instead, you should investigate the "abfab" IETF WG technologies:
https://tools.ietf.org/wg/abfab/
In brief, this is an EAP-over-GSSAPI mechanism which is then passed off to the Eduroam proxy hierarchy; you can then use GSSAPI-for-SSH patches to login over SSH using Eduroam.
its not passed over the eduroam proxy heirarchy. its based on using trust-routers for the server-server introductions.... but yes, this is whats needed - and what moonshot offers already. its not just some old pages and half completed wiki - it forms the basis of eg the Assent service from Jisc http://www.jisc.ac.uk/assent and was created BECAUSE it cannot be done via basic RADIUS calls to proper backends (eg challenge response methods or use of TLS certs). moonshot uses FreeRADIUS by the way. .....and yes, no OSX support is very much a big problem for many of us right now alan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Kristoffer Dalby -
Phil Mayers -
Scott Armitage -
Stefan Paetow