proposal for using filter-id attribute for authorization with?pam_radius
alex at digriz.org.uk
Mon Jan 3 18:41:29 CET 2011
Renke Brausse <rbrausse at gmx.com> wrote:
> we're using for OPT authentification a Vasco Identikey server.
> Unfortunately the software is rather limited, e.g. it is not possible
> to define access rules based on groups.
...then proxy the request through FreeRADIUS before it gets to your
infernal Vasco Identikey box and have FreeRADIUS make something useful
out of it all.
> As we plan to use the OTP tokens to secure our SSH service I searched
> for a method to authorize users not only with RADIUS but additionally
> the feature to check for specific filter-ids in the response - it
> seems no one has ever implemented such a thing.
Eugh, something I cobbled together in a week at work, a system that
lets you put all your SSH public keys in LDAP without having to patch
Additionally I did a proof-of-concept to myself of an RFC2289 OTP
authentication framework with a perl module hooked into FreeRADIUS.
Worked for SSH (via pam_radius_auth) and I got it working for WPA
Enterprise networks too. It's something I probably will get around to
finishing in the July, but if you hire a good perl coder you probably
are looking at only a week's worth of work and I can hand you a code
dump of my work to 'seed' them with (only if the code is then released
> Anyway, I extended pam_radius* so it is possible to use filter-ids for
> authentication - the patches for 1.3.17 are attached.
> Would an extension like this useful for the vanilla release of
This sort of thing should be sorted out with groups (centrally
maintained via LDAP if you can find the time to go the full distance).
Put the following into /etc/pam.d/sshd:
account required pam_access.so accessfile=/etc/ssh/access.conf
Create the following file like so:
$ cat /etc/ssh/access.conf
+ : foobar : ALL
- : ALL : ALL
Now you have a box where the only people who can SSH in *have* to be in
the 'foobar' group.
.sigmonster says: More are taken in by hope than by cunning.
More information about the Freeradius-Devel