Discussion:
User Authorization Using 'PAM Authentication Module(pam_radius_auth.so)
(too old to reply)
Deepak Kumar Bhagat
2018-12-05 07:42:05 UTC
Permalink
Hi All,

I have a requirement to authenticate and authorize users for management access to the device using Radius Protocol.
I'm using Linux PAM module (pam_radius_auth.so) for Radius client support and freeRADIUS as Radius server.
I have written sample PAM-enable application (check_user) to test the same. I could successfully test user authentication using my application.

As part of user authorization, I'm sending 'Management-Privilege-Level (136)' RFC 5607 attribute in 'Access-Accept' and
Intend to use the same at the device to give different management access to the user. Different Management-Privilege-Level (MPL) levels are mapped as below.

MPL Access Level
1 Root user (read, write, exec)
2 Read only user (read)
3 Deny access (null)

Is there a way to fetch/read/pass this attribute from pam_radius_auth.so to my PAM-enable application??
I checked pam_radius_auth.so source code, It seems it doesn't read any attribute from 'Access Accept' received from the server,
if that is the case then how can we enable 'PAM Authentication Module' to read the authorization attributes received in the response??

Or, Can someone suggest how can we achieve user authorization using PAM Authentication module??
One relevant reference form the mail list is https://www.redhat.com/archives/pam-list/2001-March/msg00056.html, but it seems the code changes are not included in the module.

Many Thanks,
Deepak Bhagat.

-
List info/subscribe/unsubscribe? See http://www.freerad
Alan DeKok
2018-12-06 15:27:05 UTC
Permalink
Post by Deepak Kumar Bhagat
I have a requirement to authenticate and authorize users for management access to the device using Radius Protocol.
I'm using Linux PAM module (pam_radius_auth.so) for Radius client support and freeRADIUS as Radius server.
I have written sample PAM-enable application (check_user) to test the same. I could successfully test user authentication using my application.
That's good.
Post by Deepak Kumar Bhagat
As part of user authorization, I'm sending 'Management-Privilege-Level (136)' RFC 5607 attribute in 'Access-Accept' and
Intend to use the same at the device to give different management access to the user. Different Management-Privilege-Level (MPL) levels are mapped as below.
MPL Access Level
1 Root user (read, write, exec)
2 Read only user (read)
3 Deny access (null)
Is there a way to fetch/read/pass this attribute from pam_radius_auth.so to my PAM-enable application??
Not in the current module.
Post by Deepak Kumar Bhagat
I checked pam_radius_auth.so source code, It seems it doesn't read any attribute from 'Access Accept' received from the server,
if that is the case then how can we enable 'PAM Authentication Module' to read the authorization attributes received in the response??
Source code patches.
Post by Deepak Kumar Bhagat
Or, Can someone suggest how can we achieve user authorization using PAM Authentication module??
One relevant reference form the mail list is https://www.redhat.com/archives/pam-list/2001-March/msg00056.html, but it seems the code changes are not included in the module.
If you can update the patch for the current module, I can add it in.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://
Deepak Kumar Bhagat
2018-12-07 07:11:58 UTC
Permalink
Thank You !! Alan for the response, It's very encouraging for me.
Post by Alan DeKok
If you can update the patch for the current module, I can add it in.
I have completed the patch and doing the initial testing with my setup, I will surely share the patch very soon !!



-
List info/subscribe/unsubs
Deepak Kumar Bhagat
2018-12-07 12:14:04 UTC
Permalink
Hi Alan,

Hi just raised the pull request for the patch, Can you please review and merge the patch to the master.
Sharing the pull request for your reference - https://github.com/FreeRADIUS/pam_radius/pull/41

-Deepak Bhagat

-
List info/subscribe/unsubscribe? See http://www.freeradi
Deepak Kumar Bhagat
2018-12-11 09:44:03 UTC
Permalink
Hi Alan,

As informed earlier, I have created the patch and raised the pull request. Can you please merge the patch to the master branch ??
Here is the pull request for your reference - https://github.com/FreeRADIUS/pam_radius/pull/41

-Many Thanks,
Deepak Bhagat

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.
Loading...