[99461] in RedHat Linux List
Re: radius (was: Re: Keeping certain users out....)
daemon@ATHENA.MIT.EDU (Ramon Gandia)
Sat Nov 14 13:16:45 1998
Date: Sat, 14 Nov 1998 09:11:50 -0900
From: Ramon Gandia <rfg@nook.net>
To: hossein@bf.rmit.edu.au, redhat-list@redhat.com
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
> Jeremy Domingue wrote:
>
> > I was curious if there is a way to selectively deny telnet access to users
> > that exist in the password file without disabling the account? For example,
> > I run mail and radius services which I want the user to be able to access,
> > but do not want to give the same user telnet login access.... how can I
> > accomplish this?
Hossein S. Zadeh wrote:
> Do you run a radius server or client? Can I get some information about
> its
> setup? Is there a RPM for radius?
I want to answer both of these questions, because it is the system
I use here. Mine run on Red Hat 4.2, but should also run fine on
RH 5.x.
(1) To deny telnet access, etc. Each user that is to be denied
needs to have his shell in /etc/passwd changed to /bin/false.
An example of an entry for him would be like this:
sandman:x:787:100::/home/sandman:/bin/false
^^^^^^^^^^
(2) The second thing you need to make sure is that "false" is
a defined shell in /etc/shells, and that there EXISTS such
a shell in /bin. In Red Hat 4.2, "/bin/false" is a script.
More on this later.
(3) In my system, I have had no problem with user "sandman"
along with several hundred others, get access to qpopper,
radius, etc etc. The only thing he cannot do is run a user
shell. Consequently he cannot have a login shell. In
console mode, if you try and login as "sandman" you will
immediately get the login prompt again with no error message.
Actually what happens is that "sandman" actually logged in
just fine, got authenticated etc. and then, because he has no
shell, was immediately logged out. However, if he is just
trying to authenticate in for purposes of Radius, FTP, etc.
he will be able to do so.
In particular, although he cannot run a shell, he can transfer
files via FTP to/from his user area. For instance, web home
pages.
(4) Radius runs fine. I used to use Gafton's radius which is
RPM'd. Had some problems with it, not the least of which it is
a HUGE source tree, and that it results in a large binary. It
is buggy to some extent.
Instead I finally went over to the livingston site and grabbed
the source. You have to sign a license agreement before
downloading
it, but it is reasonable. I got the latest which at the time
was ( is? ) Radius 2.01.
There is a patch needed for enabling Radius to work with PAM and
Shadow passwords in Red Hat. It is only about one or two lines
that need to be changed. I have the patch here, which is third
party and not from Livingston. After the patch is made to the
source, Radius compiles just fine.
I installed it exactly according to Livingston's directions.
Please
note that Radius installed this way is more BSD-ish than SysV-ish,
with some of the stuff in /usr/adm. However it has the virtue
that
all of the docs then line up with what you actually see in
reality.
With Christian's Radius, this is not the case, perhaps it worse
downfall.
Lastly, Livingston's support for Radius is excellent. They will
support you 100% by phone, email etc. This is a company that
helps all the way. They have an excellent staff, and if you are
running Linux rather than BSDI or Sun, they treat you like a
perfectly NORMAL person and not some kind of freak! They are
very much Linux savvy.
One of the things that I am curious about, but have only dabbled
in is to use RADIUS to authenticate users on other machines,
rather than the accursed NIS and ypetcetc protocols which give
everyone fits.
I said above that I was going to speak a little bit about
/bin/false.
Here it is.
When you give a user a shell of "/bin/false" in his /etc/passwd
file, you have to know that the shell is actually a program. In
other words, /bin/bash or /bin/csh are programs that are executed
at the instant the user logs in. If there is nothing to run, he
immediately is exited (logged out).
It should become apparent to you that you can use this mechanism
to do various things. For instance, if you want to leave a LOG
of who got in to your PPP session, then you could generate a
logfile by adding some scripting lines to /bin/false, or even
making up a whole new shell script for the user to do it.
Although
Radius does this, you may also have a use for this script I am
talking about to run. The requirements are:
(1) in the /etc/passwd file, the shell has to be a program. It
could be /bin/bash, /bin/csh (real shells), /bin/false (we spoke
about this one), or even /bin/yourscript or
/usr/bin/local/anotherscript
You get to define what runs when the user tries to get in.
The program has to be executable. Get the right permissions and
ownerships to match those of real shells.
(2) It has to be defined in /etc/shells This is just a one line
entry and is obvious.
You can then watch the program run. For instance, let us say that
you have an individual that you want to track for whatever reason.
This person is a suspected hacker and you want to know when he
logs on. You then write a little script called "/bin/trackhim"
that flashes a message on the console when he gets authenticated.
This scheme would work not only for the equivalent of /bin/false,
but if he has a real shell on purpose, like the usual /bin/bash,
then the script would run when he logs in. In that case,
/bin/trackhim would call /bin/bash. I can see some problems
here like him changing his own shell, or finding out, but if he is
not TOO smart it would work. It absolutely would work if he has
no real shell to mess with.
I have done this, not with malicious users or suspected ones, but
to alert me when a user comes on that is having telco line
problems
and I want to monitor his session (with his permission). I have
had it flash "Joe Blow is ON LINE" on the screen. Maybe someday
I will even have it ring a bell or beep.
But you get the idea(s).
--
Ramon Gandia ==== Sysadmin ==== Nook Net ==== http://www.nook.net
285 West First Avenue rfg@nook.net
P.O. Box 970 tel. 907-443-7575
Nome, Alaska 99762-0970 ======================= fax. 907-443-2487
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
