Authenticate Radius user using pam and ssh

Question

I am able to authenticate radius users using radius server+pam+ssh with creating local user with blank password in linux.

Is it possible to authenticate radius users without creating users in local machine with blank password?

/etc/pam.d/ssh file as below

#%PAM-1.0
auth    sufficient      pam_radius_auth.so debug
auth    sufficient      pam_unix.so use_first_pass
auth    required        pam_auth_status.so                
account sufficient      pam_unix.so 
account required        pam_auth_status.so    
session required        pam_unix.so

score 1 · Answer 1 · answered Jan 16 '14 at 08:33

1

The radius protocol is only designed for authentication and doesn't provide the POSIX account attributes needed for users to be able to use your systems, e.g. UID and GID numbers, a default shell, and home directory.

answered Jan 16 '14 at 08:33

HBruijn

72,524
21
127
192

So,what will be the solution if I do not want to create user in local system – user3184706 Jan 16 '14 at 08:35
Store your user accounts in central database designed for that purpose. Old school would be NIS, better solutions are directory servers using LDAP, OpenLDAP, 389 Directory Server, MS Active Directory possibly securing the authentication with Kerberos. Free IPA comes to mind as well. But PAM modules also can use MySQL and Postgres SQL back-ends. Common would be to use pam_mkhomedir to have a home directory created at first login if those aren't stored on a central NFS server and mounted on demand with the automounter. – HBruijn Jan 16 '14 at 08:47

Authenticate Radius user using pam and ssh

1 Answers1