I have recently set up a server with FreeRADIUS to authenticate and keep track of admin logins on some of my devices.
I'm looking at getting my Linux and FreeBSD machines authenticating against RADIUS using the pam_auth_radius module. I am currently working with an Ubuntu 10.04 virtual machine for testing. Also I am currently testing with RADIUS authenticating only remote SSH users, I would like ALL authentication to be done this way at some point.
As per instructions from all around the web, I install pam_auth_radius and add a line referencing the module in /etc/pam.d/sshd and added my server address and shared secret to /etc/pam_radius_auth.conf.
After doing this I can authenticate against RADIUS...however, only users that I have added to the test machine (using adduser) can authenticate. For example, user "cory" is a valid RADIUS user, for which the RADIUS returns "Accept", but I keep getting "Permission Denied" while trying to log in via ssh until I "adduser cory".
Do I need to add each and every admin user to each and every server? I realize I can make un-passworded users, so it isn't really a security issue, but it just seems to defeat the point of having a central authentication server if I still have to do account management on each device.
Is there a way to create a temporary user/directory/etc dynamically? Or can users authenticating via RADIUS be mapped to an existing account to remove the need to create each user?
What's going on is that without the rest of the structures required, the linux system doesn't have any information about user 'cory'. Things like UID/GID, shell, homedirectory, whatever.
You can set up the local user account, then tell PAM to check for a valid password against RADIUS.
What you really want to do is set up LDAP. This will let you define complete Unix user accounts in a central database. Then you would configure your RADIUS server to do validations against the LDAP database for those devices which can use it.