Radius als Single Sign On

Derzeitiges Ziel besteht im Clientbereich darin erst eine sichere Netzwerkauthentifizierung über PEAP durchzuführen, anschließend kann die Userauthentifizierung mittels PAM-Modul durchgeführt werden.

Sobald ein stabiles VPN zwischen versch. Standorten besteht reicht ein zentraler Radiusserver der die Authentifizierung durchführt, dadurch wird nur eine zentrale Passwortdatei bestehen/gepflegt werden müssen.

Weiters werden alle Serverdienste wie ftp, ssh, apache, VPN, samba ebenso an den Radius angebunden, wodurch auch hier keine seperaten Passwortfiles mehr benötigt werden!

Der zentrale Radiusserver (falls ein seperater Directory Server besteht gilt dies auch hier) muss speziell abgesichert werden und darf unter keinen Umständen direkt von extern erreichbar sein.

Status

Dienst Status Kommentare
ssh funktioniert user muss in /etc/passwd vorhanden sein, shadow Eintrag kann deaktiviert werden
proftp funktioniert passive mode off!
GDM funktioniert
KDM funktioniert
apache2 - htaccess error Radius gibt OK, apache erkennt dies nicht korrekt, HowTo-01, HowTo-02 und mod-auth-xradius-Webpage
VPN funktioniert mit m0n0wall/pptp
lokaler login funktioniert user die einen vollständigen shadow eintrag besitzen können sich auch bei Ausfall des Radius servers einloggen (für root gedacht)
samba untested
WLAN funktioniert 802.1x mit WPA2 und PEAP, linksys-WLAN-Router mit DD-Wrt als OS
Wired-LAN untested 802.1x mit PEAP, Enterasysswitch
chsh (change shell) funktioniert
chfn (change full name) funktioniert
Horde untested Groupwarelösung mit PAM-Anbindung
kscreensaver funktioniert KDE-screensaver-login
xscreensaver funktioniert X-screensaver-login

Umsetzung

Server

Der Radius-Server wird mittels den daemontools vor Abstürzen abgesichert!!

freeradius -v:

freeradius: FreeRADIUS Version 1.1.4, for host i386-pc-linux-gnu, built on Feb 16 2007 at 21:35:11
Copyright (C) 2000-2006 The FreeRADIUS server project.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
For more information about these matters, see the file named COPYRIGHT.

/etc/freeradius/clients.conf:

#localhost
client 127.0.0.1 {
        secret          = %m1k3_s3cr3t%
        shortname       = localhost
        nastype         = other # localhost isn't usually a NAS...
        }

#nagios-NAS
client 192.168.2.15 {
        secret          = %m1k3_s3cr3t%
        shortname       = m1k3_nagios
        nastype         = other
        }

#VPN-GW
client 192.168.2.10 {
        secret          = %m1k3_s3cr3t%
        shortname       = m1k3_VPN
        nastype         = other
        }

#linksys-NAS
client 192.168.2.2 {
        secret          = %m1k3_s3cr3t%
        shortname       = m1k3_wlan
        nastype         = other
        }

#enterasys-NAS
client 192.168.2.3 {
        secret          = %m1k3_s3cr3t%
        shortname       = m1k3_enterasys
        nastype         = rfc2865       # Filter-ID is specified in dictionary.rfc2865
        }

Anbindung eines MAC OS X Rechners (reiner Client) an ein bestehendes Radiussystem

Anbindung eines Linux Rechners (reiner Client) an ein bestehendes Radiussystem

apt-cache search radius | grep pam
libpam-radius-auth - The PAM RADIUS authentication module

apt-get install libpam-radius-auth

es muss folgende Zeile in die Datei /etc/pam_radius_auth.conf eingefügt werden:

# server[:port] shared_secret      timeout (s)
192.168.2.12:1812  %m1k3_s3cr3t%             2

laut doku wird diese Datei ebenso unter /etc/raddb/server benötigt! Sehe zwar keinen direkten Sinn dahinter, aber mal zur Vorsicht erstellen!

Lokal werden nun keine Passwörter mehr benötigt, die Gruppen-files und auch die /etc/passwd wird weiterhin benötigt!
Somit ist es nun möglich die logins in der shadow zu unterbinden:

/etc/passwd:
micmes:x:1000:1000:m1k3,,,:/home/micmes:/bin/bash

/etc/shadow:
micmes:!:13455:0:99999:7:::
Alles auf einmal
[root]cat /etc/pam.d/common-auth 
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
#auth   required  pam_unix.so nullok_secure
auth    sufficient      pam_radius_auth.so      debug
einzelne Dienste

Die Userauthentifizierung für ssh-Zugang, lokalen Zugang (mit fallback) und für su soll per externen Radius durchgeführt werden. Nur für den lokalen Login wird der fallback-charakter aktiviert!

/etc/pam.d/ssh:

23:32:22 debianmike /etc/pam.d [root]cat ssh
# PAM configuration for the Secure Shell service

# Disallow non-root logins when /etc/nologin exists.
auth       required     pam_nologin.so

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]

auth    sufficient      pam_radius_auth.so      debug

# Standard Un*x authentication.
#@include common-auth

# Standard Un*x authorization.
#@include common-account

# Standard Un*x session setup and teardown.
#@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Standard Un*x password updating.
@include common-password

/etc/pam.d/login:

#
# The PAM configuration file for the Shadow `login' service
#
# NOTE: If you use a session module (such as kerberos or NIS+)
# that retains persistent credentials (like key caches, etc), you
# need to enable the `CLOSE_SESSIONS' option in /etc/login.defs
# in order for login to stay around until after logout to call
# pam_close_session() and cleanup.
#

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth       required   pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth       requisite  pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth       requisite  pam_nologin.so

# This module parses /etc/environment (the standard for setting
# environ vars) and also allows you to use an extended config
# file /etc/security/pam_env.conf.
# (Replaces the `ENVIRON_FILE' setting from login.defs)
auth       required   pam_env.so

#####RADIUS#####
auth    sufficient      pam_radius_auth.so      debug

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please uncomment and edit /etc/security/group.conf if you
# wish to use this.
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
# auth       optional   pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account  required       pam_access.so

# Standard Un*x account and session
@include common-account
@include common-session

# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
# session    required   pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session    optional   pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session    optional   pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs). You
# can also enable a MAIL environment variable from here, but it
# is better handled by /etc/login.defs, since userdel also uses
# it to make sure that removing a user, also removes their mail
# spool file.
session    optional   pam_mail.so standard noenv
@include common-password

/etc/pam.d/su:

#
# The PAM configuration file for the Shadow `su' service
#

# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo" to
# to the end of this line if you want to use a group other
# than the default "root".
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth       required   pam_wheel.so

# Uncomment this if you want wheel members to be able to
# su without a password.
# auth       sufficient pam_wheel.so trust

# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth       required   pam_wheel.so deny group=nosu

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so

auth    sufficient      pam_radius_auth.so debug

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on su usage.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account    requisite  pam_time.so

# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
#@include common-auth
#@include common-account
#@include common-session

# Sets up user limits, please uncomment and read /etc/security/limits.conf
# to enable this functionality.
# (Replaces the use of /etc/limits in old login)
#session    required   pam_limits.so

/etc/pam.d/GDM:


Anbindung der Firewall (m0n0wall)

 
howto/radiussinglesignon.txt · Last modified: 2008/05/24 17:05 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki