Re: PAM.d Syntax for Radius Auth

From: Systems Administrator (sysadmin@sunet.com.au)
Date: 04/16/03

Next message: Andy Cuff [talisker]: "Linux Security Courses"

Previous message: Dave Wells: "PAM.d Syntax for Radius Auth"
In reply to: Dave Wells: "PAM.d Syntax for Radius Auth"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Systems Administrator" <sysadmin@sunet.com.au>
To: "Dave Wells" <dave.wells@foreshore.net>, <focus-linux@securityfocus.com>
Date: Wed, 16 Apr 2003 09:33:36 +1000

> We can get it to work with both RADIUS and Local passwords at once using
> the "Sufficient" argument in the conf for pam_radius.so and to not drop
> back using the "Required" argument, but we wish for the PAM to be able
> to do this automatically. Please find pam.conf for SSH below:
>
> SSHD Pam Conf
>
> auth sufficient /lib/security/pam_radius_auth.so
> auth required /lib/security/pam_stack.so service=system-auth
> auth required /lib/security/pam_nologin.so
> account required /lib/security/pam_stack.so service=system-auth
> password required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_stack.so service=system-auth
> session required /lib/security/pam_limits.so
> session optional /lib/security/pam_console.so
>
> I have just read about the new syntax for PAM using Result=xAction=x
> syntax does anyone have any experience of implementing this?

If there's no better solution, I'd be doing it as follows:

1. Generate pam.conf from a template; I use a perl Text::Template
solution, but it may be possible with m4 or gcc -E or another text
processing language
2. Put code in the template to ping the RADIUS server (or even better, to
try multiple connects to the appropriate UDP port(s))
3. Generate the template based on whether the server is up
4. Make a cron job that runs the template conversion script every 5
minutes or so

Not pretty, but it does what you want if you can stand a 5-minute
changeover.

I understand multiple RADIUS servers are possible, although I haven't
actually tried this myself. But that might do what you want.

Or, if you want a really big job, you could switch to cfengine
(http://www.gnu.org/software/cfengine/cfengine.html). Yes, I realise that
last is not a real solution :).

Tim Nelson
Systems Administrator
Sunet Internet
Tel: +61 3 5241 1155
Fax: +61 3 5241 6187
Web: http://www.sunet.com.au/
Email: sysadmin@sunet.com.au

Next message: Andy Cuff [talisker]: "Linux Security Courses"

Previous message: Dave Wells: "PAM.d Syntax for Radius Auth"
In reply to: Dave Wells: "PAM.d Syntax for Radius Auth"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Master of the obvious
... posts in our timberframes. ... And the standard roundover on these posts, ... So rather than template to the roundovers, ... radius inside corner on my counter. ...
(rec.woodworking)
Why did this happen (router question)
... I am building a table top out of 4 edge glued boards. ... corners have a radius to them. ... I have a piece of MDF that I am using ... template and then route that off. ...
(rec.woodworking)
Re: Why did this happen (router question)
... Radius only the right hand upper corner. ... http://www.patwarner.com (Routers) ... template and then route that off. ...
(rec.woodworking)
Re: Radius corners?
... "How do I make a perfect radius cut?" ... "Make a template with a perfect ... production setup to do these -- not a jig ...
(rec.woodworking)