[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pam and radius



I find it extremely interesting that this subject comes up now.

About 10 hours ago, one of our dialup systems switched over to
a new system which uses PAM+Radius for all user auth. This box
serves something around 10K users or so at the moment, and has
a 31 line passwd file (systems, and sysadmins, for ssh access). 
The radiusd code on the radius servers looks in a big berkeley 
DB file for each realm, which is generateed from a Real Database 
Package. No icky flat files. This is goood.

We're passing UIDs and GIDs around as radius attributes. 

Currently, the IETF-Radius WG explicity excludes discussion of
non-terminal server applications for radius. I'm not sure why
this is, as it's definately useful in this case.

Yes, so is Kerberos, but using radius leverages off our existing 
installed base of authentication servers.

The system has been in full "hurt me lots" production since 7.30am
so far and is performing brilliantly.

The lack of a 'username->uid' lookup is a tad annoying, but not 
really. I just do a pam_setcred() (which goes into radius) to set
the uid to the user, and compare the uid of whatever I'm checking
against my current uid.

Anthony



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []