1

I have a pam_radius module set up on a rhel7 server. A user with a local account is able to ssh into the server with the radius login information.

I was wondering if it is possible to allow a user to authenticate to the radius server, and if it is successful, have a shell session open on the rhel7 server.

Another option would be to have the server create a user account for the authenticated user. Any help would be greatly appreciated.

goris29
  • 11
  • 2

1 Answers1

2

The easiest way to allow authentication is to configure your sssd daemon with your pam modules. Check here and here to see how. Moreover, you can block unwanted users (including local accounts, or restricting access) in either /etc/security/access.conf, or /etc/ssh/sshd.conf.

Finally, the pam modules themselves can be edited to support this in /etc/pam.d but it is VERY IMPORTANT that you read the man pages, because messing around with pam modules without understanding is a great way to lock yourself out of a server. I've done it more times than I'd care to admit when I was integrating AD :)

SomeGuy
  • 131
  • 5
  • 2
    If you're going anywhere near PAM modules, have a root shell open, and make sure you have a backup of any file you think you might change. You will _almost certainly_ need that root shell to revert a typo or other "silly" misconfiguration. And don't close it until you have proven you can still log in... – roaima May 08 '18 at 21:23
  • ^ good advice. Forgot to mention it but this has saved me before as well. I have been bitten by these once or twice each. – SomeGuy May 08 '18 at 21:37
  • @goris29 - if this answers your question, please mark as answered :) If not, I'm happy to elaborate to explain further if you need me to. – SomeGuy May 08 '18 at 21:38