Re: Pam-list Digest, Vol 41, Issue 3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

pam-list-request@xxxxxxxxxx wrote: 
Send Pam-list mailing list submissions to
	pam-list@xxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	https://www.redhat.com/mailman/listinfo/pam-list
or, via email, send a message with subject or body 'help' to
	pam-list-request@xxxxxxxxxx

You can reach the person managing the list at
	pam-list-owner@xxxxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Pam-list digest..."
  

Today's Topics:

   1. Remote user authentication (Elias)
   2. Re: Remote user authentication (Kenneth Geisshirt)


Subject:
Remote user authentication
From:
Elias <dilu666@xxxxxxxxx>
Date:
Thu, 5 Jul 2007 16:12:28 +0300
To:
pam-list@xxxxxxxxxx
To:
pam-list@xxxxxxxxxx

Hi!

I'm Elias and I'm new to this list.

I would like to ask if there is a PAM module (or if anybody knows a method) that
can allow a user to login into a Linux system after successful authentication by
a remote server (e.g. RADIUS or TACACS+) without having an actual local account.

Any help will be appreciated :)

Cheers,


Subject:
Re: Remote user authentication
From:
Kenneth Geisshirt <kenneth@xxxxxxxxxxxx>
Date:
Thu, 05 Jul 2007 15:47:54 +0200
To:
Pluggable Authentication Modules <pam-list@xxxxxxxxxx>
To:
Pluggable Authentication Modules <pam-list@xxxxxxxxxx>

Quoting Elias <dilu666@xxxxxxxxx>:

I would like to ask if there is a PAM module (or if anybody knows a
method) that
can allow a user to login into a Linux system after successful
authentication by
a remote server (e.g. RADIUS or TACACS+) without having an actual local
account.

You should take a look at http://www.freeradius.org/pam_radius_auth/

/kneth

Elias,

please remember, that successful authenticating isn't just enough to log into a linux machine.
What you need to estabilsh a valid session is essentially:
    - uid
    - gid
    - default shell
    - home directory

all these things are provided e.g. by /etc/passwd and friends. The Interface to this data
is done via glibc and the name service switch NSS (libnss modules).

A complete framework for 'foreign' login can be found in the SAMBA suite. It consists of
    - a PAM module (pam_winbind.so)
    - a NSS module (libnss_winbind.so)
    - the protocol daemon (winbindd)

When working with Microsoft ADS you may occasionally need in addition:
    - the name service daemon of the samba suite (nmbd)
    - local kerberos support (via MIT-kerberos or HEIMDAL libraries)
    - enter your linux machine into the ADS via 'net join ...'

Please look at the man pages of winbindd on how to configure the framework.
I've done this successfully several times using Debian or Neovell/Suse.

Tacacs+ , though working fine with libpam_tacacs.so, doesn't provide any NSS hooks
anyway, so  it cannot provide a full login framework

Radius is widely configurable in respect to additional options, but as far as i know, there
is also no NSS module for (Free-)Radius available.

Regards
Andreas

-- 
Dr.-Ing. Andreas Schindler
 
Alpha Zero One Computersysteme GmbH
Frankfurter Str. 141
63303 Dreieich
 
Telefon 06103-57187-21
Telefax 06103-373245
 
schindler@xxxxxx
www.az1.de

Alpha Zero One Computersysteme GmbH, Brandeniusstr. 3, 44265 Dortmund
HRB 11089 Amtsgericht Dortmund, Geschäftsführer : Klaus-Jürgen Koke, Joachim Carle 

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux