Ignore privileged users in PAM_RADIUS auth

Eero Volotinen eero.volotinen at iki.fi
Wed May 14 21:05:35 CEST 2014


this is pam related configuration..

take look of this example:

# Prevent the following 1 rule from applying to root
auth [default=1 success=ignore] pam_succeed_if.so uid > 0
# Configure PAM to use RADIUS with possible to local fallback, only if
radius/proxy
server is down..
auth [success=done new_authtok_reqd=done ignore=ignore default=die]
pam_radius_auth.so localifdown


2014-05-14 21:43 GMT+03:00 Bob Probert <bruisebrotherprobert at gmail.com>:

> Hello all,
>
> I'm developing PAM policy for a server in which my organization doesn't
> have control of the RADIUS infrastructure. This particular system is using
> the RADIUS PAM module only for authentication purposes -- an account must
> be present on the system in order for a login to be successful.
>
> The users of this system must never have access to two accounts -- one
> we'll call 'system' the other is 'root'. The PAM configuration has
> 'PAM_RADIUS auth sufficient' prior to Unix auth. I'm concerned that if a
> RADIUS administrator adds an account for 'root' or 'system' in the RADIUS
> infrastructure, the user will then get unauthorized "root" or "system"
> access.
>
> Has anyone on the list encountered a similar issue? After inspecting the
> RADIUS PAM module code, it appears that there aren't any hooks for
> disabling RADIUS auth for certain users. This appears to be a rather
> trivial feature to implement, if I add this functionality to the module, is
> there any interest in my patch? Any other ideas?
>
> Thanks!
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140514/57da4295/attachment-0001.html>


More information about the Freeradius-Users mailing list