Second SSH with Freeradius based authentication

Alexander Clouter alex at digriz.org.uk
Sat Feb 12 12:25:30 CET 2011


Marius.Meisner <marius.meisner at googlemail.com> wrote:
> 
> I am not close with RE, but in Debian you may need the packet
> libpam-radius-auth. I have chosen the way over PAM Module to communicate
> between radius and sshd. So you may configure files like /etc/pam.d/sshd
> - if its the same under RE.
> 
TBH, a situation where you run more than one SSH instance on a single 
box generally means something is not right.

To fold things back into a single daemon, I would just do something 
like the following:
----
auth       sufficient pam_unix.so
auth       sufficient pam_radius_auth.so
auth       required   pam_opie.so <--- last one should be 'required'
----

However, to be honest, no-one should not be using pam_unix.so in this 
day and age for SSH.  Arguably you probably should not back SSH login's 
with any username/password auth.  So, as I am one never to pass on the 
opportunity of shameless self promotion, I recommend putting your SSH 
public keys in LDAP:

http://www.digriz.org.uk/lpkfuse

Cheers

-- 
Alexander Clouter
.sigmonster says: "The Schizophrenic: An Unauthorized Autobiography"




More information about the Freeradius-Users mailing list