Setting up centralized authentication for Linux SSH users
Daniel Bray
dbray925 at gmail.com
Mon Jun 22 21:03:13 CEST 2015
On Mon, Jun 22, 2015 at 2:14 PM, Alan DeKok <aland at deployingradius.com> wrote:
>> I just looking at this wrong....which I'm beginning to think I am. If
>> the user does not need access, but needs to be created in the
>> Freeradius database, then I should probably either 1.) reevaluate the
>> real reason they "need" to be created or 2.) explicitly deny/disable
>> that user, leaving all the other admins alone with default access.
>
> Pretty much.
>
>> And just to be clear. I should configure all of that with the
>> /etc/raddb/sites-enabled/default file right after the authorize -> sql
>> section. Meaning, I should place all my sql if/else statements in
>> that section. Right?
>
> Yes.
>
Thanks again. In the end, this is the logic I came up with, and
appears to be doing what I need it to do:
# First, start with the "blanks". Meaning, no group, no NAS IP, no
access...get out.
if (("%{sql:SELECT `groupname` FROM `radusergroup` WHERE
`username`='%{User-Name}'}" == '') || ("%{sql:SELECT `groupname` FROM
`radhuntgroup` WHERE `nasipaddress`='%{NAS-IP-Address}'}" == '')) {
update reply {
Reply-Message := "No known GroupName or NAS IP, get out"
}
reject
}
# Check for specific groups and NAS IPs, else default to get out.
if ("%{sql:SELECT `username` FROM `radusergroup` WHERE `groupname` =
'Admins' AND `username` = '%{User-Name}'}" != '') {
update reply {
Reply-Message := "Welcome Admin, you may access any device."
}
}
elsif (("%{sql:SELECT `username` FROM `radusergroup` WHERE
`groupname` = 'VendorA' AND `username` = '%{User-Name}'}" != '') &&
(NAS-IP-Address == "10.0.0.1")) {
update reply {
Reply-Message := "Welcome VendorA, you may access 10.0.0.1"
}
}
else {
update reply {
Reply-Message := "No known authorized access, get out."
}
reject
}
For future vendors, I see the "elsif" part growing, and
changing....and that's about it. So far, all my tests are working,
and not working as expected.
More information about the Freeradius-Users
mailing list