Simple Radius authentication

ubuntu ssh authentication radius
11,880

libpam-radius-auth should work exactly as you need. I use it in this capacity with no problems. You just need to

  • Configure it in /etc/pam.d somewhere, probably common-auth.
  • Configure the RADIUS server in /etc/raddb/server

However, they can't authenticate if they aren't local users.

Yes, that's true. Users must exist in the first place.

It sounds like you are dealing with a different problem than authentication here. Keep in mind the difference between these two subsystems:

  • NSS (name service switch): implements the database of users (and groups, and hosts, etc...). This supports queries to list users and get their properties such as name, uid, home directory, and shell. The most common NSS backend is "files", which gets user information from /etc/passwd, but you can use many other backends that get information from DB files, from LDAP, and so on.
  • PAM (pluggable authentication modules): implements authentication (and accounting and password changes). This system uses pluggable modules which check a user's authentication and allow or disallow logins. The most common PAM backend is "files", which asks the user for a simple password and checks it against a hash in /etc/shadow but you can use many other backends that query services like RADIUS, one time password systems, Kerberos, and so on.

It sounds like you are doing authentication (PAM) with RADIUS but you would also like to use something network-based for the user database (NSS) itself. That's a completely different question, not related to authentication.

You can't use RADIUS as a database backend because the RADIUS protocol does not provide database functionality. That is, it doesn't allow you to query users for details like uid, home directory, and shell, much less to enumerate users in the database. Hence there does not exist a RADIUS NSS backend (hypothetical libnss-radius).

For a network-based database of users, you can use LDAP, or maybe MySQL or Postgres. LDAP is probably the best recomendation.

Share:
11,880

Related videos on Youtube

Sebbeleu
Author by

Sebbeleu

Updated on September 18, 2022

Comments

  • Sebbeleu
    Sebbeleu over 1 year

    I'm looking into using Radius as an authentication server for a few Ubuntu servers when accessing through SSH. I have tried using libpam-radius-auth but it doesn't work quite as I need.

    My goal is to have a solution similar to Cisco devices using TACACS/Radius as Authentication. However, they can't authenticate if they aren't local users.

    sshd[3200]: Invalid user testacc from 198.18.18.22

    sshd[3200]: input_userauth_request: invalid user testacc [preauth]

    Solutions I have found are mounting home folders with NFS and/or setting up an LDAP service. Is there any simpler method of simply allowing a user to log in to a server through SSH, authenticating through Radius? I want to keep it as simple as possible.

  • Sebbeleu
    Sebbeleu almost 9 years
    Thank you for this excellent answer. NSS was a new term for me. I will consider using LDAP for solving my problem.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

unable to connect to the aws ec2 instance,Host key verification failed
Changing AuthorizedKeysFile in `sshd_config` not solving public key auth failure with encrypted home
Unable to login to host via ssh, just see 'Connection closed' in authlog
Permission Denied (Publickey) from OS X to Ubuntu
PAM failing to authenticate sudo, after successfully contacting ssh-agent
OpenSSH server: how to configure keyboard-interactive authentication
Apache/2.4.7 (Ubuntu) AH01630: client denied by server configuration despite "Require all granted"
How to point ssh to config file
How to setup a private dedicated Node.js Ubuntu Server?
svn: E170013: Unable to connect to a repository at URL