create SSH accounts using RADIUS pam
Alan DeKok
aland at deployingradius.com
Mon Sep 5 16:39:00 CEST 2016
On Sep 5, 2016, at 10:29 AM, Janis Heller <janis.heller at outlook.de> wrote:
>
> I use the REST module of RADIUS to validate login requests (username & password).
> Now I would like my users to be able to login to some servers using SSH. Their accounts should be all very unprivileged (just for SSH tunneling).
> After setting up the pam sshd module I recognized the login would be only possible by creating a new user with an empty password by using:
>
> adduser testuser
>
> on the server. Is there a way to prevent this and allow users to login in case of RADIUS accepted their username & password.
See the PAM and NSS documentation. This is really outside of FreeRADIUS.
> I already searched for this problem:
>
> http://serverfault.com/questions/567628/authenticate-radius-user-using-pam-and-ssh
>
> Setting up ldap would be a bit too much for this I think, isn’t there an easier way?
No.
I took a look at writing an nss_radius plugin years ago. It wasn't simple. NSS made PAM look sane.
Alan DeKok.
More information about the Freeradius-Users
mailing list