proposal for using filter-id attribute for authorization with?pam_radius

Alexander Clouter alex at
Mon Jan 3 18:41:29 CET 2011

Renke Brausse <rbrausse at> wrote:
> we're using for OPT authentification a Vasco Identikey server. 
> Unfortunately the software is rather limited, e.g. it is not possible 
> to define access rules based on groups.
...then proxy the request through FreeRADIUS before it gets to your 
infernal Vasco Identikey box and have FreeRADIUS make something useful 
out of it all.
> As we plan to use the OTP tokens to secure our SSH service I searched 
> for a method to authorize users not only with RADIUS but additionally 
> the feature to check for specific filter-ids in the response - it 
> seems no one has ever implemented such a thing.
Eugh, something I cobbled together in a week at work, a system that 
lets you put all your SSH public keys in LDAP without having to patch 

Additionally I did a proof-of-concept to myself of an RFC2289 OTP 
authentication framework with a perl module hooked into FreeRADIUS.  
Worked for SSH (via pam_radius_auth) and I got it working for WPA 
Enterprise networks too.  It's something I probably will get around to 
finishing in the July, but if you hire a good perl coder you probably 
are looking at only a week's worth of work and I can hand you a code 
dump of my work to 'seed' them with (only if the code is then released 
afterwards GPLed).
> Anyway, I extended pam_radius* so it is possible to use filter-ids for 
> authentication - the patches for 1.3.17 are attached.
> Would an extension like this useful for the vanilla release of 
> pam_radius?
This sort of thing should be sorted out with groups (centrally 
maintained via LDAP if you can find the time to go the full distance).  
Put the following into /etc/pam.d/sshd:
account  required accessfile=/etc/ssh/access.conf

Create the following file like so:
$ cat /etc/ssh/access.conf
+ : foobar : ALL
- : ALL : ALL

Now you have a box where the only people who can SSH in *have* to be in 
the 'foobar' group.


Alexander Clouter
.sigmonster says: More are taken in by hope than by cunning.
                  		-- Vauvenargues

More information about the Freeradius-Devel mailing list