This is the problem of every ISP, and I haven't found a way around it yet.
But it's on my work schedule.
NIS is not secure, because it lets you "ypcat" the /etc/shadow file,
unless you make big modifications to it. In other words, don't even think
about it.
Radius authentification would be doable under PAM. The problem is, you
still need /etc/password to get the location of the users directories. It
would be okay for mail though.
On my systems, I had to heavily modify Radius to accept the expiration
date in the shadow file, and to check is the shell is in /etc/shells, to
give access to mail only and not dialup for some users. Radius lacks many
features unfortunately...
There is a "passwdd" software on freshmeat that lets you synchronize
password files. I haven't had the time to check it out yet. If you do try
it, i'd like to get your comments about it.
I remember seeing a Radius module for PAM, but I don't remember where I
saw it. Anyways, you'd still have problems with the users directory...
Jean-Michel Dault
[EMAIL PROTECTED]
[EMAIL PROTECTED]
On Tue, 28 Dec 1999, Ramon Gandia wrote:
> Date: Tue, 28 Dec 1999 11:57:26 -0900
> From: Ramon Gandia <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: [expert] Radius
>
> Right now I have an overloaded server, running Radius, my
> accounting program, Web, FTP and mail.
>
> I need to separate these functions, but of course they all
> need authentication.
>
> I have thought of rsync or NIS, but would perhaps like to see
> if RADIUS can be made to work. Here is what I want, as an
> example.
>
> My Web server, www.nook.net, requires that my users be able
> to FTP to and from it to load their web pages. This is no
> problem as they are on the /etc/passwd and /etc/shadow
> files.
>
> Instead, I would like to remove their entries from these
> files, and have the authentication be done against a remote
> Radius server, which will contain their passwords (either
> on the /etc/passwd and /etc/shadow files, or on the
> /etc/raddb/users file). In other words, if the Radius
> server can authenticate remote logins from the terminal
> servers, it should also be able to authenticate logins to
> other computers.
>
> What I need is a Radius authentication CLIENT module that
> would work with RedHat/Mandrake linux. I have not been
> able to locate any such. All I see is Radius servers,
> but no clients.
>
> Can anyone help me in locating something like this?
>
> --
> Ramon Gandia ============= Sysadmin ============== Nook Net
> http://www.nook.net [EMAIL PROTECTED]
> 285 West First Avenue tel. 907-443-7575
> P.O. Box 970 fax. 907-443-2487
> Nome, Alaska 99762-0970 ==== Alaska Toll Free. 888-443-7525
>
