proposal for using filter-id attribute for authorization with pam_radius

Renke Brausse rbrausse at gmx.com
Mon Jan 3 18:02:40 CET 2011


Hi list,

we're using for OPT authentification a Vasco Identikey server. Unfortunately the software is rather limited, e.g. it is not possible to define access rules based on groups.

The server is able to perform a RADIUS password challenge but only as "PIN and OTP are correct" - not exactly the kind of authentication I expected... The only way to get something like grouping with this product is out-sourcing to the client: Vasco cann add a filter-id attribute to the response, if the client is capable of interpreting such responses it is possible to group users (though with strings on a per-user base).

As we plan to use the OTP tokens to secure our SSH service I searched for a method to authorize users not only with RADIUS but additionally the feature to check for specific filter-ids in the response - it seems no one has ever implemented such a thing.

Anyway, I extended pam_radius* so it is possible to use filter-ids for authentication - the patches for 1.3.17 are attached.

Would an extension like this useful for the vanilla release of pam_radius?

Greetings
Renke

*) I am _not_ a programmer, the stuff I changed should be checked/rewritten/used only as concept...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_radius_auth.c.patch
Type: text/x-patch
Size: 2622 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20110103/2b56537b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pam_radius_auth.h.patch
Type: text/x-patch
Size: 263 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20110103/2b56537b/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: USAGE.patch
Type: text/x-patch
Size: 663 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20110103/2b56537b/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20110103/2b56537b/attachment.pgp>


More information about the Freeradius-Devel mailing list