PAM authentication with Eduroam
Phil Mayers
p.mayers at imperial.ac.uk
Mon Jun 29 15:35:13 CEST 2015
On 29/06/15 14:20, Kristoffer Dalby wrote:
> Hi
>
> I am researching the possibility of using freeradius/eduroam as
> authentication backend through PAM for SSH.
>
> This far in my research, i have run into a few questions that i cant
> quite find the correct answer to.
>
> Currently i cannot understand if the PAM module is able to handle the
> password as a hash, or if it is able to use secure communication such as
> EAP-TLS.
>
> Also, as eduroam is a hierarchy of radius servers, where the
> authentication request is forwarded until it reaches the right server,
> it requires the credentials are encrypted so only the user and the
> correct server can "see" them. I do quite understand if this is even
> possible to achieve from the PAM side of my use case.
>
> Can anyone provide some clarification on these cases? My English is not
> the best, so if my explanations is hard to understand, please let me
> know, and i will try again.
This won't really work. Eduroam "home" sites define which authentication
mechanisms their users will use. Those are typically multi-pass
challenge-response, tunneled over TLS.
PAM doesn't support that kind of exchange, and most PAM apps don't either.
Instead, you should investigate the "abfab" IETF WG technologies:
https://tools.ietf.org/wg/abfab/
In brief, this is an EAP-over-GSSAPI mechanism which is then passed off
to the Eduroam proxy hierarchy; you can then use GSSAPI-for-SSH patches
to login over SSH using Eduroam.
But plain PAM won't help, AIUI.
More information about the Freeradius-Users
mailing list