Setting up centralized authentication for Linux SSH users

Alan DeKok aland at deployingradius.com
Mon Jun 22 20:14:04 CEST 2015


On Jun 22, 2015, at 2:10 PM, Daniel Bray <dbray925 at gmail.com> wrote:
> I can take care of that with either Spacewalk, or other scripted
> methods.  I was mainly looking for a centralized user "database",
> focusing on AAA.

  People typically use LDAP for Linux logins.  It's a better fit.

> Is there any sort of common "trick" to deny users by default?

  No.  Unknown users are denied.  Known users are authenticated.

 There's no trick.  If you want known users to be rejected, you have to tell the server when to do that.  There is no default configuration of "do everything I want"

>  Or, am
> I just looking at this wrong....which I'm beginning to think I am.  If
> the user does not need access, but needs to be created in the
> Freeradius database, then I should probably either 1.) reevaluate the
> real reason they "need" to be created or 2.) explicitly deny/disable
> that user, leaving all the other admins alone with default access.

  Pretty much.

> And just to be clear.  I should configure all of that with the
> /etc/raddb/sites-enabled/default file right after the authorize -> sql
> section.  Meaning, I should place all my sql if/else statements in
> that section.  Right?

  Yes.

  Alan DeKok.




More information about the Freeradius-Users mailing list