On Fri, Jul 8, 2011 at 8:39 AM, Ramil Galib <[email protected]> wrote: > Thanks for the ideas. > Haven't look into pam radius yet. > Here's the setup: > In our lan, users (the students) are allowed only 100 hours of free > computer use. Beyond that they have to pay for a minimal amount. I > want to keep track of their total login time in the network so that > when they reach the limit, maybe their account be temporarily disabled > and when enabled they will be billed accordingly. Also they have > printing quotas. > So my idea is: > There is a server for centralized authentication. > They have to ssh first to the log time tracking server. There I will > use acct to account the login times. > After they ssh, they will be given the gnome wm for their things to do. > The ssh connection must be persistent until they logout gnome. > Is this feasible? or some alternatives? > TIA
i'll show you how pam radius works so that you will have an idea how to solve your problem.. you need radius server for your centralized authentication and accounting needs... you need pam radius installed in linux host for authentication and accounting (as well as centralized change password)... i downloaded freeradius (http://freeradius.org/) as this popular opensource radius software have pam radius package along with it (http://freeradius.org/pam_radius_auth/) according to freeradius author.. it tested in redhat 4 and 5... so i downloaded redhat 3 for testing purposes as well as show it to you how it works.. below is debug log output of radius server... pam radius installed in linux host with ip address of 1.0.0.1.. at the console terminal that using "login" program... when i type username "fooler" and password "testing" and it successfuly authenticated.. this is what it received by radius server from pam radius host.. radius access-request: rad_recv: Access-Request packet from host 1.0.0.1 port 3113, id=108, length=75 User-Name = "fooler" User-Password = "testing" NAS-IP-Address = 1.0.0.1 NAS-Identifier = "login" NAS-Port = 2088 NAS-Port-Type = Virtual Service-Type = Authenticate-Only radius accounting-request: rad_recv: Accounting-Request packet from host 1.0.0.1 port 3113, id=73, length=73 User-Name = "fooler" NAS-IP-Address = 1.0.0.1 NAS-Identifier = "login" NAS-Port = 2088 NAS-Port-Type = Virtual Acct-Status-Type = Start Acct-Session-Id = "00002088" Acct-Authentic = RADIUS my linux host IP goes to radius attribute name called "NAS-IP-Address".. accounting-request started (Acct-Status-Type = Start) with session ID 2008 (Acct-Session-Id).. purpose of session ID is that the same user can have multiple connections at the same time and differentiated by the session ID number... but you can control that with your radius server if that user is allowed for multiple connections or not... depends on your policy... after i logout... pam radius host sent another accounting request... rad_recv: Accounting-Request packet from host 1.0.0.1 port 3113, id=127, length=79 User-Name = "fooler" NAS-IP-Address = 1.0.0.1 NAS-Identifier = "login" NAS-Port = 2088 NAS-Port-Type = Virtual Acct-Status-Type = Stop Acct-Session-Id = "00002088" Acct-Authentic = RADIUS Acct-Session-Time = 76 this time.. radius attribute Acct-Status-Type is now Stop.. meaning it ended its session (session ID 2088).. the time for the whole session it consumed is registered in radius attribute Acct-Session-Time... which is 76 seconds... another example.... instead of logging to terminal console.. i use ssh client to remotely connect to pam radius host 1.0.0.1... below its radius transaction received by the radius server... rad_recv: Access-Request packet from host 1.0.0.1 port 3500, id=54, length=85 User-Name = "fooler" User-Password = "testing" NAS-IP-Address = 1.0.0.1 NAS-Identifier = "sshd" NAS-Port = 2475 NAS-Port-Type = Virtual Service-Type = Authenticate-Only rad_recv: Accounting-Request packet from host 1.0.0.1 port 3502, id=145, length=72 User-Name = "fooler" NAS-IP-Address = 1.0.0.1 NAS-Identifier = "sshd" NAS-Port = 2477 NAS-Port-Type = Virtual Acct-Status-Type = Start Acct-Session-Id = "00002477" Acct-Authentic = RADIUS rad_recv: Accounting-Request packet from host 1.0.0.1 port 3502, id=142, length=78 User-Name = "fooler" NAS-IP-Address = 1.0.0.1 NAS-Identifier = "sshd" NAS-Port = 2477 NAS-Port-Type = Virtual Acct-Status-Type = Stop Acct-Session-Id = "00002477" Acct-Authentic = RADIUS Acct-Session-Time = 129 take note of NAS-Identifier.. it shows "sshd".. when im at console terminal.. its NAS-Identifier is "login"... you mentioned gnome.. its gdm is pam aware.. if i use gnome.. it will show as "gdm" in NAS-Identifier.. in redhat (as well as other variants of linux OSes)... all pam aware applications resides in /etc/pam.d directory... you will see there.. login, sshd, gdm, etc... but these pam aware applications are calling the system wide filename "/etc/pam.d/system-auth".. i put these two lines in /etc/pam.d/system-auth: auth sufficient /lib/security/pam_radius_auth.so session sufficient /lib/security/pam_radius_auth.so "auth" line is doing the authentication while "session" line is doing the accounting... pam_radius_auth.so in "auth" line must be before or just above the line of pam_unix.so in auth group pam_radius_auth.so in "session" line must be before or just above the line of pam_unix.so in session group because i put those two lines in system wide file.. all pam aware applications in /etc/pam.d directory called pam_radius_auth.so.. if you want for ssh only.. move that from system wide file to sshd file... just make sure you turn it off public key authentication and force to use password based authentication as i noticed ssh is not using pam session or accounting when public key authentication is being used during my testing... because its redhat 3 and its ssh package is an old version.. perhaps a bug i think on ssh ... freeradius is able to use any popular relational database... store all radius transaction to that database... when database receives.. accounting stop with session time... deduct that to its remaining time... when user try to authenticate again... radius server queried that database.. database must return allowed or denied access based on the time remaining and/or extra logic like allowed day and time to login... so there goes that solve your time remaining problem... for printing accounting... i havent use "cups" but try to look at it if fits for your needs... oh by the way.. cups is pam aware too... for automatic logout when time remaining goes to zero... although... radius has attribute name called "Session-Timeout".. freeradius' pam module didnt used that attribute.. to solve automatic logout.. it needs a little creativity on your side.. like for example... you know its username and time remaining from the database record... you need customized timer application when its time expired.. remote login to that pam host and kick that user... so i hope you have now a basic idea about pam radius... fooler... _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
