From: Sidibe Robert (Robert.Sidibe@kapsch.net)
Date: Tue Jun 19 2007 - 02:30:48 EDT
Hi Sunmanagers !
The situation
-------------------
To get access to our solaris-servers,only ssh (with authentication against a
radius-server)
is allowed.
Now there is the wish to allow only a few special users not to be checked by
the
radius-server,
but by certificates.
So that they don't need to enter the Token Password every time.
Certificates can also be files which are locally stored (only for this
special
users) on the solaris-server.
It should only identify the user who wants to log on.
If the user has got no such file/certificate - he should get the opportunity
to
log on against the radius server as usual.
Question:
--------------
Which of the PAM-Modules can check for certificates/local
identification-fiels
?
If there is one Module capable, how can I configure PAM - to first check the
certificate and if the certificate is not OK
then authentication against the radius-server ?
Can this certifcation-file for special users be build by ssh ?
Does anyone have any experience, recommendations how to solve the problem ?
Many Thanks
and kind regards
Robert Sidibe
-----------------------------------------------------------------------------
--- --------------------------------------------------------- Here's more Info about the System, Pam-modules and pam.conf: ----------------------------------------------------------------------------- --- --------------------------------------------------------- System: ------------ SunOS host - 5.9 Generic_118558-22 sun4u sparc SUNW,Sun-Fire-V440 Available PAM-Modules: ----------------------------------- # crypt_bsdbf.so.1 pam_dial_auth.so pam_projects.so.1 pam_unix.so crypt_bsdmd5.so.1 pam_dial_auth.so.1 pam_radius_auth.so pam_unix.so.1 crypt_sunmd5.so.1 pam_krb5.so pam_radius_auth.so.1 pam_unix_account.so pam_authtok_check.so pam_krb5.so.1 pam_rhosts_auth.so pam_unix_account.so.1 pam_authtok_check.so.1 pam_krb5_migrate.so pam_rhosts_auth.so.1 pam_unix_auth.so pam_authtok_get.so pam_krb5_migrate.so.1 pam_roles.so pam_unix_auth.so.1 pam_authtok_get.so.1 pam_ldap.so pam_roles.so.1 pam_unix_session.so pam_authtok_store.so pam_ldap.so.1 pam_sample.so pam_unix_session.so.1 pam_authtok_store.so.1 pam_passwd_auth.so pam_sample.so.1 sparcv9 pam_dhkeys.so pam_passwd_auth.so.1 pam_smartcard.so pam_dhkeys.so.1 pam_projects.so pam_smartcard.so.1 # Current pam.conf ------------------------- # cat /etc/pam.conf # #ident "@(#)pam.conf 1.20 02/01/23 SMI" # # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the "other" section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # # # ==========================================================================I # #login auth requisite pam_authtok_get.so.1 #login auth required pam_dhkeys.so.1 #login auth required pam_unix_auth.so.1 #login auth required pam_dial_auth.so.1 # # ==========================================================================I # # SSH via RADIUS is ALLOWED ==================================================== sshd auth sufficient pam_radius_auth.so.1 debug #=============== SU is ALLOWED================================================ su auth requisite pam_authtok_get.so.1 su auth required pam_dhkeys.so.1 su auth required pam_unix_auth.so.1 # ============================================================================= ==I # # rlogin service (explicit because of pam_rhost_auth) # RLOGIN DISABLED #rlogin auth sufficient pam_rhosts_auth.so.1 #rlogin auth requisite pam_authtok_get.so.1 #rlogin auth required pam_dhkeys.so.1 #rlogin auth required pam_unix_auth.so.1 #============================================================================ === =# # # RSH DISABLED # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # #rsh auth sufficient pam_rhosts_auth.so.1 #rsh auth required pam_unix_auth.so.1 #============================================================================ === # # PPP service (explicit because of pam_dial_auth) # PPP DISABLED #ppp auth requisite pam_authtok_get.so.1 #ppp auth required pam_dhkeys.so.1 #ppp auth required pam_unix_auth.so.1 #ppp auth required pam_dial_auth.so.1 # # # cron auth requisite pam_authtok_get.so.1 cron auth required pam_dhkeys.so.1 cron auth required pam_unix_auth.so.1 #============================================================================ === # OTHER - DISABLED #============================================================================ === #other auth requisite pam_authtok_get.so.1 #other auth required pam_dhkeys.so.1 #other auth required pam_unix_auth.so.1 #============================================================================ === # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cron account required pam_projects.so.1 cron account required pam_unix_account.so.1 # # Default definition for Account management # Used when service name is not explicitly mentioned for account management # other account requisite pam_roles.so.1 other account required pam_projects.so.1 other account required pam_unix_account.so.1 # # Default definition for Session management # Used when service name is not explicitly mentioned for session management # other session required pam_unix_session.so.1 # # Default definition for Password management # Used when service name is not explicitly mentioned for password management # other password required pam_dhkeys.so.1 other password requisite pam_authtok_get.so.1 other password requisite pam_authtok_check.so.1 other password required pam_authtok_store.so.1 # # Support for Kerberos V5 authentication (uncomment to use Kerberos) # #rlogin auth optional pam_krb5.so.1 try_first_pass #login auth optional pam_krb5.so.1 try_first_pass #other auth optional pam_krb5.so.1 try_first_pass #cron account optional pam_krb5.so.1 #other account optional pam_krb5.so.1 #other session optional pam_krb5.so.1 #other password optional pam_krb5.so.1 try_first_pass # ===================================================================== Robert Souleymane SIDIBE | System Engineering - Business Service Management | Telefon +43 (0)50 811 5838 | Mobil: +43 (0)664 628 5838 Fax +43 (0)50 811 5838 | robert.sidibe@kapsch.net Kapsch BusinessCom AG | Wienerbergstra_e 53 | A-1120 Wien www.kapschbusiness.com <http://www.kapschbusiness.com/> | www.kapsch.net Firmenbuch HG Wien FN 178368g | Firmensitz Wien Enabling effective real time business. Kapsch BusinessCom. The information contained in this e-mail message is privileged and confidential and is for the exclusive use of the addressee. The person who receives this message and who is not the addressee, one of his employees or an agent entitled to hand it over to the addressee, is informed that he may not use, disclose or reproduce the contents thereof. _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:42:04 EDT