Pam-list Digest, Vol 41, Issue 3
Andreas Schindler
schindler at az1.de
Fri Jul 6 07:03:04 UTC 2007
pam-list-request at redhat.com wrote:
> Send Pam-list mailing list submissions to
> pam-list at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://www.redhat.com/mailman/listinfo/pam-list
> or, via email, send a message with subject or body 'help' to
> pam-list-request at redhat.com
>
> You can reach the person managing the list at
> pam-list-owner at redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pam-list digest..."
>
> ------------------------------------------------------------------------
>
> Today's Topics:
>
> 1. Remote user authentication (Elias)
> 2. Re: Remote user authentication (Kenneth Geisshirt)
>
>
> ------------------------------------------------------------------------
>
> Subject:
> Remote user authentication
> From:
> Elias <dilu666 at gmail.com>
> Date:
> Thu, 5 Jul 2007 16:12:28 +0300
> To:
> pam-list at redhat.com
>
> To:
> pam-list at redhat.com
>
>
> Hi!
>
> I'm Elias and I'm new to this list.
>
> I would like to ask if there is a PAM module (or if anybody knows a
> method) that
> can allow a user to login into a Linux system after successful
> authentication by
> a remote server (e.g. RADIUS or TACACS+) without having an actual
> local account.
>
> Any help will be appreciated :)
>
> Cheers,
>
> ------------------------------------------------------------------------
>
> Subject:
> Re: Remote user authentication
> From:
> Kenneth Geisshirt <kenneth at geisshirt.dk>
> Date:
> Thu, 05 Jul 2007 15:47:54 +0200
> To:
> Pluggable Authentication Modules <pam-list at redhat.com>
>
> To:
> Pluggable Authentication Modules <pam-list at redhat.com>
>
>
> Quoting Elias <dilu666 at gmail.com>:
>
>> I would like to ask if there is a PAM module (or if anybody knows a
>> method) that
>> can allow a user to login into a Linux system after successful
>> authentication by
>> a remote server (e.g. RADIUS or TACACS+) without having an actual local
>> account.
>
> You should take a look at http://www.freeradius.org/pam_radius_auth/
>
> /kneth
>
Elias,
please remember, that successful authenticating isn't just enough to log
into a linux machine.
What you need to estabilsh a valid session is essentially:
- uid
- gid
- default shell
- home directory
all these things are provided e.g. by /etc/passwd and friends. The
Interface to this data
is done via glibc and the name service switch NSS (libnss modules).
A complete framework for 'foreign' login can be found in the SAMBA
suite. It consists of
- a PAM module (pam_winbind.so)
- a NSS module (libnss_winbind.so)
- the protocol daemon (winbindd)
When working with Microsoft ADS you may occasionally need in addition:
- the name service daemon of the samba suite (nmbd)
- local kerberos support (via MIT-kerberos or HEIMDAL libraries)
- enter your linux machine into the ADS via 'net join ...'
Please look at the man pages of winbindd on how to configure the framework.
I've done this successfully several times using Debian or Neovell/Suse.
Tacacs+ , though working fine with libpam_tacacs.so, doesn't provide any
NSS hooks
anyway, so it cannot provide a full login framework
Radius is widely configurable in respect to additional options, but as
far as i know, there
is also no NSS module for (Free-)Radius available.
Regards
Andreas
--
Dr.-Ing. Andreas Schindler
Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich
Telefon 06103-57187-21
Telefax 06103-373245
schindler at az1.de
www.az1.de
Alpha Zero One Computersysteme GmbH, Brandeniusstr. 3, 44265 Dortmund
HRB 11089 Amtsgericht Dortmund, Geschäftsführer : Klaus-Jürgen Koke, Joachim Carle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20070706/cf2cf1ed/attachment.htm>
More information about the Pam-list
mailing list