create SSH accounts using RADIUS pam

Alan DeKok aland at
Mon Sep 5 16:39:00 CEST 2016

On Sep 5, 2016, at 10:29 AM, Janis Heller <janis.heller at> wrote:
> I use the REST module of RADIUS to validate login requests (username & password).
> Now I would like my users to be able to login to some servers using SSH. Their accounts should be all very unprivileged (just for SSH tunneling).
> After setting up the pam sshd module I recognized the login would be only possible by creating a new user with an empty password by using:
> adduser testuser
> on the server. Is there a way to prevent this and allow users to login in case of RADIUS accepted their username & password.

  See the PAM and NSS documentation.  This is really outside of FreeRADIUS.

> I already searched for this problem:
> Setting up ldap would be a bit too much for this I think, isn’t there an easier way?


  I took a look at writing an nss_radius plugin years ago.  It wasn't simple.  NSS made PAM look sane.

  Alan DeKok.

More information about the Freeradius-Users mailing list