From: Brock Noland <[EMAIL PROTECTED]>
Reply-To: freeradius-users@lists.freeradius.org
To: freeradius-users@lists.freeradius.org
Subject: Re: RADIUS and PAM configuration help--RESOLVED with solution posted
Date: Tue, 21 Dec 2004 08:22:30 -0600
Will this allow root login??
Brock
On Mon, 20 Dec 2004 16:52:29 -0800, Toby Zimmerer
<[EMAIL PROTECTED]> wrote:
> Alright! I figured this whole thing out! I switched over to the
> pam_radius_auth module (Sept 2003) to tie PAM into an existing RADIUS
> server. The difference with tying RADIUS in with Redhat ES is that each
> module tha links to PAM has a separate module under the /etc/pam.d
> directory. You must edit each module configuration file to for PAM to use
> RADIUS. Thanks for all of the feedback.
>
> Here is my configuration information for autheticating an SSH session with
> RADIUS with PAM.
>
> http://www.freeradius.org/pam_radius_auth/
>
> Edit /etc/pam.d/sshd
>
> #%PAM-1.0M-1.0
>
> # auth required pam_stack.so service
> auth required pam_radius_auth.so
> #auth required pam_nologin.so
> #account required pam_stack.so service=system-auth
> account required pam_radius_auth.so
> password required pam_stack.so service=system-auth
> session required pam_stack.so service=system-auth
> session required pam_limits.so
> session optional pam_console.so
>
> Copy the pam_radius_auth.so module to /lib/security
>
> Create a directory /etc/raddb
> Create a file called /etc/raddb/server
>
> Edit /etc/raddb/server
>
> # pam_radius_auth configuration file. Copy to: /etc/raddb/server
> #
> # For proper security, this file SHOULD have permissions 0600,
> # that is readable by root, and NO ONE else. If anyone other than
> # root can read this file, then they can spoof responses from the server!
> #
> # There are 3 fields per line in this file. There may be multiple
> # lines. Blank lines or lines beginning with '#' are treated as
> # comments, and are ignored. The fields are:
> #
> # server[:port] secret [timeout]
> #
> # the port name or number is optional. The default port name is
> # "radius", and is looked up from /etc/services The timeout field is
> # optional. The default timeout is 3 seconds.
> #
> # If multiple RADIUS server lines exist, they are tried in order. The
> # first server to return success or failure causes the module to return
> # success or failure. Only if a server fails to response is it skipped,
> # and the next server in turn is used.
> #
> # The timeout field controls how many seconds the module waits before
> # deciding that the server has failed to respond.
> #
> # server[:port] shared_secret timeout (s)
> #127.0.0.1 secret 1
> #other-server other-secret 3
> 10.1.123.15:1812 radiussecret 3
>
> #
> # having localhost in your radius configuration is a Good Thing.
> #
> # See the INSTALL file for pam.conf hints.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-- "There is one and only one social responsibility of business - to use its resources and engage in activities designed to increase its profits so long as it stays within the rules of the game, which is to say, engages in open and free competition without deception or fraud." Nobel Laureate Milton Friedman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
