SSH-login authentication, using Active Directory credentials.
Alan DeKok
aland at deployingradius.com
Fri Jan 25 14:40:49 CET 2008
suraj shankar wrote:
> I understand that pam_radius_auth 'encrypts' the
> password. But if a user has the privileges to change
> the /etc/raddb/server file (and point it to a
> freeradius server), wouldn't he/she be able to siphon
> off the credentials?
Yes.
> Our setup would disallow direct 'root' logins, over
> SSH. However, once the user logs in using his/her
> credentials, they would then be allowed to do a sudo
> or a privileges escalation. Thereby, opening the
> possibility of a /etc/raddb/server edit.
So... why are you giving people root access if you don't trust them?
> I know worse things can happen with superuser
> privileges; however, I am not worried of the bad that
> can happen to the client machines.
>
> Is there a better way, using radius? Please suggest.
> If this query is a rerun, pointers/references would
> do. Thank you.
Any solution would have exactly the same security issues.
Alan DeKok.
More information about the Freeradius-Users
mailing list