[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pam and radius

On Fri, 28 Feb 1997, Mark Lillywhite wrote:

> Hi,
> > Central RADIUS server, it has a full password+shadow file. The passwd
> > file can then be rdist (or whatever) to the client machines. Have client
> > programs, login, pop3d, ftpd, etc check (via PAM through RADIUS) to the
> > central server.
> Part of the reason I don't want to do this is that the distribution
> mechanism's security (or lack of it). I haven't used rdist but if it's
> based on the other r-protocols (rlogin, rexec, etc) forget it... anyway, if
> I have a 2500-user passwd file, I don't want to regenerate and transfer it
> every time someone makes a change on the server.
> I'd also like to not have the /etc/passwd file available at ALL, except
> perhaps for specific local logins such as 'root' etc. Giving a list of our
> users out is not something I consider to be a Good Thing, and we have
> multiple servers with different user populations but non-unique UIDs which
> I'd like to have central control over. (Long story there!)

I don't see why you would have to distribute the password file at all to a
remote machine. RADIUS is for remote authentication.. IE..

If the user attempts to log in, verify their ability to do so by querying
a remote server.

Using a "group" system, you could then make pam_radius look at the group
file to determine wether the user is allowed into that specific server or

> I don't think PAM cuts it as far as my requirements go (and I was so
> excited when I first found out about it!)... but I intend to look at this
> pwdb stuff which if it's abstract enough I might be able to convert to look
> up the database directly.

      President of New Age Consulting Service, Inc.  Cleveland Ohio
             SLIP/PPP/Unix Shell   28.8k / ISDN / Leased Line
           http://www.nacs.net   info@nacs.net   (216)-524-8414

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []