This project provides a Linux PAM module for Radius authentication coupled with an NSS module.
This allows for users to log in with Radius account and be mapped to existing Linux account.
The Linux authentication allows for Radius users to authenticate themselves to local Linux users. The mapping from Radius user->local user is based on arbitrary vendor attributes.
+-----------------+----------------------+-----------------+------------------------+------------------+
| User | Linux System | NSS Module | PAM Module | Radius Server |
+=================+======================+=================+========================+==================+
| Enters login | ----> | | | |
+-----------------+----------------------+-----------------+------------------------+------------------+
| | <---- | Map the request | | |
| | | to the default | | |
| | | user | | |
+-----------------+----------------------+-----------------+------------------------+------------------+
| <---- | Requests password | | | |
+-----------------+----------------------+-----------------+------------------------+------------------+
| Enters password | ----> | | | |
+-----------------+----------------------+-----------------+------------------------+------------------+
| | Auth user | | ----> | |
+-----------------+----------------------+-----------------+------------------------+------------------+
| | | | Check the credentials | ----> |
| | | | (username, password) | |
| | | | with the Radius server | |
+-----------------+----------------------+-----------------+------------------------+------------------+
| | | | <---- | Validate user |
| | | | | and if valid, |
| | | | | returns the |
| | | | | requested vendor |
| | | | | attributes |
+-----------------+----------------------+-----------------+------------------------+------------------+
| | | <---- | Save the user | |
| | | | details in the NSS db | |
+-----------------+----------------------+-----------------+------------------------+------------------+
| | <---- | | Allow or deny user | |
+-----------------+----------------------+-----------------+------------------------+------------------+
| <---- | Start `radius_shell` | | | |
+-----------------+----------------------+-----------------+------------------------+------------------+
| | `radius_shell` | ----> | | |
| | checks the NSS DB | | | |
| | before spawing the | | | |
| | real user shell | | | |
+-----------------+----------------------+-----------------+------------------------+------------------+
| <---- | Start real shell | | | |
| | after `setuid` | | | |
+-----------------+----------------------+-----------------+------------------------+------------------+
The auth client is a command line interface to authenticate with a radius server.
It will request a radius authentication and return vendor attributes based on the configuration file.
For a full working installation, the following components are required:
- PAM module
- NSS module
radius_shellbinary- configuration file
- local users (read config file below for details)
IMPORTANT: The configuration file MUST BE 0600 and owner by root for
security.
The NSS module should be installed in the /lib directory. The
location might vary depending on your distribution.
For example /lib/libnss_radius_virtual.so.2 and then symlink this to
/lib/libnss_radius_virtual.so. NSS REQUIRES the .so.2.
Once the module has been installed, run ldconfig to update ld cache.
The configuration of the NSS module is done in /etc/nsswitch.conf, you need to
add radius_virtual after files for passwd and shadow.
Example /etc/nsswitch.conf:
passwd: files radius_virtual systemd
group: files systemd
shadow: files radius_virtual
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
The PAM should should be installed in the /lib/security directory. For example
/lib/security/pam_radius_virtual.so. The location might vary depending on your
distribution.
The PAM configuration can vary depending on your distribution. On Debian, it is
/etc/pam.d/common-auth but on Arch Linux it is /etc/pam.d/system-auth.
What you need to add, is the following line:
auth sufficient pam_radius_virtual.so
This should be the line before pam_unix.so.
To ensure the Radius user's shell is spawned as the right local user, the NSS
module return a special binary as user shell. This binary will check the user in
the NSS module database and setuid to the proper user.
The radius_shell binary must be installed with root:root in setuid mode,
like this:
-rwsr-xr-x 1 root root /usr/bin/radius_shell
su should work as expected with root password, sudo will ask for the
mapped user password. For example, if you log in as fred:pass and this user is
mapped to admin:secret you will be logged as admin but sudo will expect
the password of the admin user: secret. The best way to provide sudo access
to mapped user is to use the NOPASSWD: option.
The standalone radius_auth_client.exe binary is supported on both Linux and
Windows (> Vista). This binary is self contained and only requires a config
file. The format of the config file is the same as for the PAM/NSS modules.
For information about the configuration format, read the sample config
file below, only the radius.* blocks are required.
The configuration file MUST reside at /etc/radius_auth_virtual.toml for
the Linux modules (PAM/NSS/radius_shell). The radius_auth_client binary
takes the path of the config file as command line argument.
The configuration is documented in the sample configuration file.
If you want to build the binaries yourself, you need to be running Linux and install rust and windows cross compiler.
Then follow those steps:
- Clone this repository, including submodules
- Run
make applypatch - Run
make release
Licensed under either of
- Apache License, Version 2.0 (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.