proposal for using filter-id attribute for authorization with?pam_radius

Alexander Clouter alex at digriz.org.uk
Mon Jan 3 18:41:29 CET 2011 

Renke Brausse <rbrausse at gmx.com> wrote:
> 
> we're using for OPT authentification a Vasco Identikey server. 
> Unfortunately the software is rather limited, e.g. it is not possible 
> to define access rules based on groups.
>
...then proxy the request through FreeRADIUS before it gets to your 
infernal Vasco Identikey box and have FreeRADIUS make something useful 
out of it all.
 
> As we plan to use the OTP tokens to secure our SSH service I searched 
> for a method to authorize users not only with RADIUS but additionally 
> the feature to check for specific filter-ids in the response - it 
> seems no one has ever implemented such a thing.
>
Eugh, something I cobbled together in a week at work, a system that 
lets you put all your SSH public keys in LDAP without having to patch 
OpenSSH:
<selfless-self-promo>
http://www.digriz.org.uk/lpkfuse
</selfless-self-promo>

Additionally I did a proof-of-concept to myself of an RFC2289 OTP 
authentication framework with a perl module hooked into FreeRADIUS.  
Worked for SSH (via pam_radius_auth) and I got it working for WPA 
Enterprise networks too.  It's something I probably will get around to 
finishing in the July, but if you hire a good perl coder you probably 
are looking at only a week's worth of work and I can hand you a code 
dump of my work to 'seed' them with (only if the code is then released 
afterwards GPLed).
 
> Anyway, I extended pam_radius* so it is possible to use filter-ids for 
> authentication - the patches for 1.3.17 are attached.
> 
> Would an extension like this useful for the vanilla release of 
> pam_radius?
>
This sort of thing should be sorted out with groups (centrally 
maintained via LDAP if you can find the time to go the full distance).  
Put the following into /etc/pam.d/sshd:
----
account  required     pam_access.so accessfile=/etc/ssh/access.conf
----

Create the following file like so:
----
$ cat /etc/ssh/access.conf
+ : foobar : ALL
- : ALL : ALL
----

Now you have a box where the only people who can SSH in *have* to be in 
the 'foobar' group.

Cheers

-- 
Alexander Clouter
.sigmonster says: More are taken in by hope than by cunning.
                  		-- Vauvenargues

More information about the Freeradius-Devel mailing list