Authorization with Client PAM Library

Evan Huus eapache at gmail.com
Wed Oct 12 17:02:06 CEST 2011


Hi all,

I am in the process of integrating RADIUS support for authentication
and authorization into SSH login for a server running Linux.

The authentication part has been very simple thanks to the
pam_radius_auth PAM module (I'm using the latest version: 1.3.17).
Authorization has not been as simple.

We run a custom local daemon which actively manages permissions for
the box. The RADIUS server (not under our control) returns
authorization data in Vendor-Specific Attributes of the Access-Accept
message. Our daemon needs to be made aware of whatever VSAs are inside
the Access-Accept message so that it can adjust the user's permissions
accordingly.

The problem is that pam_radius_auth (to the best of my knowledge)
silently ignores any VSAs in the messages it receives. This makes
sense from its perspective, since PAM is purely for authentication.

The best solution I've come up with has pam_radius_auth forwarding the
Access-Accept messages to a configurable port on the local machine.
Our daemon can then listen on that port and extract the data it needs.
This solution is very ugly, and I'm hoping that there's a better way
I'm just not aware of.

Any suggestions or information you can provide are very much appreciated.

Thanks,
Evan



More information about the Freeradius-Users mailing list