How to secure PAM?

David LePage dwlepage at yahoo.com
Sun Jun 5 08:21:09 CEST 2005


I know others have run into this scenario, and I'm curious how it has been
resolved. 

I have users that may be in two different databases - either a remote
database that utilizes RADIUS (pam_radius_auth.so), or a database that
uses ldap (pam_ldap.so). 

On Linux, my pam.d/sshd looks like:

auth   sufficient   /lib/security/pam_radius_auth.so
auth   required     /lib/security/pam_ldap.so

My problem is as follows... I have some users that should only
authenticate to pam_ldap.so, and others that I want to enforce
authentication at pam_radius_auth.so. 

How do I do it without allowing the users defined on the system, AND in
ldap, to bypass the first module?

What seems to make sense, is that the pam_radius_auth.so module has a flag
to reject authentication IF the user exists on the local system, when the
LDAP user accounts are stored remotely. It would have to check for the
users existance, and not proceed to the next module. Setting this module
to required doesnt work because some users only reside in LDAP and need to
bounce down to the next module.. Any ideas?
D


		
__________________________________ 
Discover Yahoo! 
Have fun online with music videos, cool games, IM and more. Check it out! 
http://discover.yahoo.com/online.html



More information about the Freeradius-Users mailing list