create SSH accounts using RADIUS pam
aland at deployingradius.com
Mon Sep 5 16:39:00 CEST 2016
On Sep 5, 2016, at 10:29 AM, Janis Heller <janis.heller at outlook.de> wrote:
> I use the REST module of RADIUS to validate login requests (username & password).
> Now I would like my users to be able to login to some servers using SSH. Their accounts should be all very unprivileged (just for SSH tunneling).
> After setting up the pam sshd module I recognized the login would be only possible by creating a new user with an empty password by using:
> adduser testuser
> on the server. Is there a way to prevent this and allow users to login in case of RADIUS accepted their username & password.
See the PAM and NSS documentation. This is really outside of FreeRADIUS.
> I already searched for this problem:
> Setting up ldap would be a bit too much for this I think, isn’t there an easier way?
I took a look at writing an nss_radius plugin years ago. It wasn't simple. NSS made PAM look sane.
More information about the Freeradius-Users