Certificates and Authentification with PAM Radius

From: Sidibe Robert (Robert.Sidibe@kapsch.net)
Date: Mon Mar 05 2007 - 09:38:46 EST

Hi Sunmanagers !

The situation
-------------------
To get access to our servers,only ssh (with authentication against a
radius-server)
is allowed.

Now there is the wish to allow special users not to be checked by the
radius-server,
but by certificates.

Question:
--------------

Which of the PAM-Modules can check for certificates ?
If there is one Module capable, how can I configure PAM - to first check the
certificate and if the certificate is not OK
then authentication against the radius-server ?

Does anyone have any experience, recommendations how to solve the problem ?

Many Thanks
and kind regards
Robert Sidibe

----------------------------------------------------------------------------- 

---
---------------------------------------------------------
Here's  more Info about the System, Pam-modules and pam.conf:
-----------------------------------------------------------------------------
---
---------------------------------------------------------
System:
------------
SunOS host -  5.9 Generic_118558-22 sun4u sparc SUNW,Sun-Fire-V440
Available PAM-Modules:
-----------------------------------
#
crypt_bsdbf.so.1        pam_dial_auth.so        pam_projects.so.1
pam_unix.so
crypt_bsdmd5.so.1       pam_dial_auth.so.1      pam_radius_auth.so
pam_unix.so.1
crypt_sunmd5.so.1       pam_krb5.so             pam_radius_auth.so.1
pam_unix_account.so
pam_authtok_check.so    pam_krb5.so.1           pam_rhosts_auth.so
pam_unix_account.so.1
pam_authtok_check.so.1  pam_krb5_migrate.so     pam_rhosts_auth.so.1
pam_unix_auth.so
pam_authtok_get.so      pam_krb5_migrate.so.1   pam_roles.so
pam_unix_auth.so.1
pam_authtok_get.so.1    pam_ldap.so             pam_roles.so.1
pam_unix_session.so
pam_authtok_store.so    pam_ldap.so.1           pam_sample.so
pam_unix_session.so.1
pam_authtok_store.so.1  pam_passwd_auth.so      pam_sample.so.1
sparcv9
pam_dhkeys.so           pam_passwd_auth.so.1    pam_smartcard.so
pam_dhkeys.so.1         pam_projects.so         pam_smartcard.so.1
#
Current pam.conf
-------------------------
# cat /etc/pam.conf
#
#ident  "@(#)pam.conf   1.20    02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
#
# ==========================================================================I
#
#login   auth requisite          pam_authtok_get.so.1
#login   auth required           pam_dhkeys.so.1
#login   auth required           pam_unix_auth.so.1
#login   auth required           pam_dial_auth.so.1
#
# ==========================================================================I
#
# SSH via RADIUS is ALLOWED
====================================================
sshd     auth sufficient         pam_radius_auth.so.1     debug
#=============== SU is
ALLOWED================================================
su      auth requisite          pam_authtok_get.so.1
su      auth required           pam_dhkeys.so.1
su      auth required           pam_unix_auth.so.1
#
=============================================================================
==I
#
# rlogin service (explicit because of pam_rhost_auth)
# RLOGIN DISABLED
#rlogin auth sufficient         pam_rhosts_auth.so.1
#rlogin auth requisite          pam_authtok_get.so.1
#rlogin auth required           pam_dhkeys.so.1
#rlogin auth required           pam_unix_auth.so.1
#============================================================================
===
=#
#
# RSH DISABLED
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
#rsh    auth sufficient         pam_rhosts_auth.so.1
#rsh    auth required           pam_unix_auth.so.1
#============================================================================
===
#
# PPP service (explicit because of pam_dial_auth)
# PPP DISABLED
#ppp    auth requisite          pam_authtok_get.so.1
#ppp    auth required           pam_dhkeys.so.1
#ppp    auth required           pam_unix_auth.so.1
#ppp    auth required           pam_dial_auth.so.1
#
#
#
cron    auth requisite          pam_authtok_get.so.1
cron    auth required           pam_dhkeys.so.1
cron    auth required           pam_unix_auth.so.1
#============================================================================
===
# OTHER - DISABLED
#============================================================================
===
#other  auth requisite          pam_authtok_get.so.1
#other  auth required           pam_dhkeys.so.1
#other  auth required           pam_unix_auth.so.1
#============================================================================
===
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass
#
=====================================================================
Robert Souleymane SIDIBE   |
System Engineering - Business Service Management |
Telefon +43 (0)50 811 5838 |  Mobil: +43 (0)664 628 5838
Fax  +43 (0)50 811 5838 | robert.sidibe@kapsch.net
Kapsch BusinessCom AG |  Wienerbergstra_e 53  |  A-1120  Wien
www.kapschbusiness.com <http://www.kapschbusiness.com/>  | www.kapsch.net
Firmenbuch HG Wien FN 178368g  | Firmensitz Wien
Enabling effective real time business. Kapsch BusinessCom.
The information contained in this e-mail message is privileged and
confidential and is for the exclusive use of the addressee. The person
who receives this message and who is not the addressee, one of his
employees or an agent entitled to hand it over to the addressee, is
informed that he may not use, disclose or reproduce the contents thereof.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:41:43 EDT