Setting up centralized authentication for Linux SSH users

[Daniel Bray]

On Mon, Jun 22, 2015 at 1:52 PM, Alan DeKok <aland at deployingradius.com> wrote:
>
>   RADIUS doesn't do UID, GID, home directory, etc.  So it's probably not the correct choice for logging into Linux servers.
>

I can take care of that with either Spacewalk, or other scripted
methods.  I was mainly looking for a centralized user "database",
focusing on AAA.  I've seen comparisons to OpenLDAP and other
directory services, but I'm just not needing the level of Identity
Management that LDAP-based services provide.  My main focus is just
(security) authorization.

>
>   The default configuration of the server is to authenticate users.  Which means all known users are allowed in.
>

Is there any sort of common "trick" to deny users by default?  Or, am
I just looking at this wrong....which I'm beginning to think I am.  If
the user does not need access, but needs to be created in the
Freeradius database, then I should probably either 1.) reevaluate the
real reason they "need" to be created or 2.) explicitly deny/disable
that user, leaving all the other admins alone with default access.
I'm leaning towards option 2, so that I can just re-enable the vendor
when they need to do work, and then disable (or set some sort of timed
based authentication) when they are done.

>
>   You have to set up explicit lists of who's allowed to log in where.  Put the data into an SQL table, and write a SELECT statement.  Then, put that SELECT statement into the FreeRADIUS configuration.
>

And just to be clear.  I should configure all of that with the
/etc/raddb/sites-enabled/default file right after the authorize -> sql
section.  Meaning, I should place all my sql if/else statements in
that section.  Right?


Thank you so much for your help and guidance.