Hi all, I am in the process of integrating RADIUS support for authentication and authorization into SSH login for a server running Linux.
The authentication part has been very simple thanks to the pam_radius_auth PAM module (I'm using the latest version: 1.3.17). Authorization has not been as simple. We run a custom local daemon which actively manages permissions for the box. The RADIUS server (not under our control) returns authorization data in Vendor-Specific Attributes of the Access-Accept message. Our daemon needs to be made aware of whatever VSAs are inside the Access-Accept message so that it can adjust the user's permissions accordingly. The problem is that pam_radius_auth (to the best of my knowledge) silently ignores any VSAs in the messages it receives. This makes sense from its perspective, since PAM is purely for authentication. The best solution I've come up with has pam_radius_auth forwarding the Access-Accept messages to a configurable port on the local machine. Our daemon can then listen on that port and extract the data it needs. This solution is very ugly, and I'm hoping that there's a better way I'm just not aware of. Any suggestions or information you can provide are very much appreciated. Thanks, Evan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html