Re: RADIUS and PAM configuration help--RESOLVED with solution posted

[Toby Zimmerer]

Yes, I was able to SU in the seesion after using RADIUS to establish the SSH 
tunnel.  The SU command used the local ROOT password.

From: Brock Noland <[EMAIL PROTECTED]>
Reply-To: freeradius-users@lists.freeradius.org
To: freeradius-users@lists.freeradius.org
Subject: Re: RADIUS and PAM configuration help--RESOLVED with solution 
posted
Date: Tue, 21 Dec 2004 16:46:07 -0600

Sorry, I should have been more clear. Su uses PAM. I was asking, did
you change ALL of your pam files to the configuration you listed,
because I don't think root would be allowed to login then. Unless root
was authenticated via radius. I was just wondering if you had tried
logging in (or su-ing) as root.
Brock
On Tue, 21 Dec 2004 08:33:53 -0800, Toby Zimmerer
<[EMAIL PROTECTED]> wrote:
> By deafult,no.  SSH is setup to block ROOT login.  What you need to do 
is
> log into an SSH session as a user, then su to the ROOT account.
>
> >From: Brock Noland <[EMAIL PROTECTED]>
> >Reply-To: freeradius-users@lists.freeradius.org
> >To: freeradius-users@lists.freeradius.org
> >Subject: Re: RADIUS and PAM configuration help--RESOLVED with solution
> >posted
> >Date: Tue, 21 Dec 2004 08:22:30 -0600
> >
> >Will this allow root login??
> >
> >Brock
> >
> >
> >On Mon, 20 Dec 2004 16:52:29 -0800, Toby Zimmerer
> ><[EMAIL PROTECTED]> wrote:
> > > Alright!  I figured this whole thing out!  I switched over to the
> > > pam_radius_auth module (Sept 2003) to tie PAM into an existing 
RADIUS
> > > server.  The difference with tying RADIUS in with Redhat ES is that 
each
> > > module tha links to PAM has a separate module under the /etc/pam.d
> > > directory.  You must edit each module configuration file to for PAM 
to
> >use
> > > RADIUS.  Thanks for all of the feedback.
> > >
> > > Here is my configuration information for autheticating an SSH 
session
> >with
> > > RADIUS with PAM.
> > >
> > > http://www.freeradius.org/pam_radius_auth/
> > >
> > > Edit /etc/pam.d/sshd
> > >
> > > #%PAM-1.0M-1.0
> > >
> > > # auth       required     pam_stack.so service
> > > auth       required     pam_radius_auth.so
> > > #auth       required     pam_nologin.so
> > > #account    required     pam_stack.so service=system-auth
> > > account    required     pam_radius_auth.so
> > > password   required     pam_stack.so service=system-auth
> > > session    required     pam_stack.so service=system-auth
> > > session    required     pam_limits.so
> > > session    optional     pam_console.so
> > >
> > > Copy the pam_radius_auth.so module to /lib/security
> > >
> > > Create a directory /etc/raddb
> > > Create a file called /etc/raddb/server
> > >
> > > Edit /etc/raddb/server
> > >
> > > #  pam_radius_auth configuration file.  Copy to: /etc/raddb/server
> > > #
> > > #  For proper security, this file SHOULD have permissions 0600,
> > > #  that is readable by root, and NO ONE else.  If anyone other than
> > > #  root can read this file, then they can spoof responses from the
> >server!
> > > #
> > > #  There are 3 fields per line in this file.  There may be multiple
> > > #  lines.  Blank lines or lines beginning with '#' are treated as
> > > #  comments, and are ignored.  The fields are:
> > > #
> > > #  server[:port] secret [timeout]
> > > #
> > > #  the port name or number is optional.  The default port name is
> > > #  "radius", and is looked up from /etc/services The timeout field 
is
> > > #  optional.  The default timeout is 3 seconds.
> > > #
> > > #  If multiple RADIUS server lines exist, they are tried in order.  
The
> > > #  first server to return success or failure causes the module to 
return
> > > #  success or failure.  Only if a server fails to response is it
> >skipped,
> > > #  and the next server in turn is used.
> > > #
> > > #  The timeout field controls how many seconds the module waits 
before
> > > #  deciding that the server has failed to respond.
> > > #
> > > # server[:port] shared_secret      timeout (s)
> > > #127.0.0.1      secret             1
> > > #other-server    other-secret       3
> > > 10.1.123.15:1812     radiussecret           3
> > >
> > > #
> > > # having localhost in your radius configuration is a Good Thing.
> > > #
> > > # See the INSTALL file for pam.conf hints.
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
> > >
> >
> >
> >--
> >"There is one and only one social responsibility of business - to use
> >its resources and engage in activities designed to increase its
> >profits so long as it stays within the rules of the game, which is to
> >say, engages in open and free competition without deception or fraud."
> >Nobel Laureate Milton Friedman
> >
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html
>

--
"There is one and only one social responsibility of business - to use
its resources and engage in activities designed to increase its
profits so long as it stays within the rules of the game, which is to
say, engages in open and free competition without deception or fraud."
Nobel Laureate Milton Friedman
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html