Ignore privileged users in PAM_RADIUS auth
Bob Probert
bruisebrotherprobert at gmail.com
Wed May 14 22:09:26 CEST 2014
Thanks Eero and Alan, this is exactly the information I was looking for.
I had a feeling that a new "feature" wasn't going to be necessary, thanks
for the confirmation.
On Wed, May 14, 2014 at 12:05 PM, Eero Volotinen <eero.volotinen at iki.fi>wrote:
> this is pam related configuration..
>
> take look of this example:
>
> # Prevent the following 1 rule from applying to root
> auth [default=1 success=ignore] pam_succeed_if.so uid > 0
> # Configure PAM to use RADIUS with possible to local fallback, only if radius/proxy
> server is down..
> auth [success=done new_authtok_reqd=done ignore=ignore default=die]
> pam_radius_auth.so localifdown
>
>
> 2014-05-14 21:43 GMT+03:00 Bob Probert <bruisebrotherprobert at gmail.com>:
>
>> Hello all,
>>
>> I'm developing PAM policy for a server in which my organization doesn't
>> have control of the RADIUS infrastructure. This particular system is using
>> the RADIUS PAM module only for authentication purposes -- an account must
>> be present on the system in order for a login to be successful.
>>
>> The users of this system must never have access to two accounts -- one
>> we'll call 'system' the other is 'root'. The PAM configuration has
>> 'PAM_RADIUS auth sufficient' prior to Unix auth. I'm concerned that if a
>> RADIUS administrator adds an account for 'root' or 'system' in the RADIUS
>> infrastructure, the user will then get unauthorized "root" or "system"
>> access.
>>
>> Has anyone on the list encountered a similar issue? After inspecting the
>> RADIUS PAM module code, it appears that there aren't any hooks for
>> disabling RADIUS auth for certain users. This appears to be a rather
>> trivial feature to implement, if I add this functionality to the module, is
>> there any interest in my patch? Any other ideas?
>>
>> Thanks!
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140514/9fbe0be4/attachment.html>
More information about the Freeradius-Users
mailing list