SSH-login authentication, using Active Directory credentials.

suraj shankar surajvshankar at yahoo.com
Fri Jan 25 13:50:01 CET 2008


Hi;
  For a long time now, I have been trying to unify the
login credentials, in a heterogeneous environment.
While I am aware of the few available options, I have
decided against them, for varied reasons.

In the last few days, I have been able to produce the
effect which I desired, using pam_radius_auth and IAS.
All is well, and I am able to SSH-login using my
Active directory login credentials.

  But before I take this to production, I would like
to know if this approach is safe - the IAS setting
that works says "Unencrypted authentication (PAP)".
>From here
http://lists.cistron.nl/pipermail/freeradius-users/2006-July/055010.html,
I understand that pam_radius_auth 'encrypts' the
password. But if a user has the privileges to change
the /etc/raddb/server file (and point it to a
freeradius server), wouldn't he/she be able to siphon
off the credentials?

Our setup would disallow direct 'root' logins, over
SSH. However, once the user logs in using his/her
credentials, they would then be allowed to do a sudo
or a privileges escalation. Thereby, opening the
possibility of a /etc/raddb/server edit.
I know worse things can happen with superuser
privileges; however, I am not worried of the bad that
can happen to the client machines.

Is there a better way, using radius? Please suggest.
If this query is a rerun, pointers/references would
do. Thank you.

Regards,
suraj.


      ____________________________________________________________________________________
Looking for last minute shopping deals?  
Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping



More information about the Freeradius-Users mailing list