User Authorization Using 'PAM Authentication Module(pam_radius_auth.so)

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

User Authorization Using 'PAM Authentication Module(pam_radius_auth.so)

Deepak Kumar Bhagat
Hi All,

I have a requirement to authenticate and authorize users for management access to the device using Radius Protocol.
I'm using Linux PAM module (pam_radius_auth.so) for Radius client support and freeRADIUS as Radius server.
I have written sample PAM-enable application (check_user) to test the same. I could successfully test user authentication using my application.

As part of  user authorization, I'm sending 'Management-Privilege-Level (136)' RFC 5607 attribute in 'Access-Accept' and
Intend to use the same at the device to give different management access to the user. Different Management-Privilege-Level (MPL) levels are mapped as below.

MPL Access Level
1 Root user (read, write, exec)
2 Read only user (read)
3 Deny access (null)

Is there a way to fetch/read/pass this attribute from pam_radius_auth.so to my PAM-enable application??
I checked pam_radius_auth.so source code, It seems it doesn't read any attribute from 'Access Accept' received from the server,
if that is the case then how can we enable 'PAM Authentication Module' to read the authorization attributes received in the response??

Or, Can someone suggest how can we achieve user authorization using PAM Authentication module??
One relevant reference form the mail list is https://www.redhat.com/archives/pam-list/2001-March/msg00056.html, but it seems the code changes are not included in the module.

Many Thanks,
Deepak Bhagat.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: User Authorization Using 'PAM Authentication Module(pam_radius_auth.so)

Alan DeKok-2
On Dec 5, 2018, at 2:42 AM, Deepak Kumar Bhagat <[hidden email]> wrote:
>
> I have a requirement to authenticate and authorize users for management access to the device using Radius Protocol.
> I'm using Linux PAM module (pam_radius_auth.so) for Radius client support and freeRADIUS as Radius server.
> I have written sample PAM-enable application (check_user) to test the same. I could successfully test user authentication using my application.

  That's good.

> As part of  user authorization, I'm sending 'Management-Privilege-Level (136)' RFC 5607 attribute in 'Access-Accept' and
> Intend to use the same at the device to give different management access to the user. Different Management-Privilege-Level (MPL) levels are mapped as below.
>
> MPL Access Level
> 1 Root user (read, write, exec)
> 2 Read only user (read)
> 3 Deny access (null)
>
> Is there a way to fetch/read/pass this attribute from pam_radius_auth.so to my PAM-enable application??

  Not in the current module.

> I checked pam_radius_auth.so source code, It seems it doesn't read any attribute from 'Access Accept' received from the server,
> if that is the case then how can we enable 'PAM Authentication Module' to read the authorization attributes received in the response??

  Source code patches.

> Or, Can someone suggest how can we achieve user authorization using PAM Authentication module??
> One relevant reference form the mail list is https://www.redhat.com/archives/pam-list/2001-March/msg00056.html, but it seems the code changes are not included in the module.

  If you can update the patch for the current module, I can add it in.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: User Authorization Using 'PAM Authentication Module(pam_radius_auth.so)

Deepak Kumar Bhagat
In reply to this post by Deepak Kumar Bhagat
Thank You !! Alan for the response, It's very encouraging for me.

> If you can update the patch for the current module, I can add it in.

I have completed the patch and doing the initial testing with my setup, I will surely share the patch very soon !!



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: User Authorization Using 'PAM Authentication Module(pam_radius_auth.so)

Deepak Kumar Bhagat
In reply to this post by Deepak Kumar Bhagat
Hi Alan,

Hi just raised the pull request for the patch, Can you please review and merge the patch to the master.
Sharing the pull request for your reference -  https://github.com/FreeRADIUS/pam_radius/pull/41

-Deepak Bhagat

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: User Authorization Using 'PAM Authentication Module(pam_radius_auth.so)

Deepak Kumar Bhagat
In reply to this post by Deepak Kumar Bhagat
Hi Alan,

As informed earlier, I have created the patch and raised the pull request. Can you please merge the patch to the master branch ??
Here is the pull request for your reference -  https://github.com/FreeRADIUS/pam_radius/pull/41

-Many Thanks,
Deepak Bhagat

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: User Authorization Using 'PAM Authentication Module(pam_radius_auth.so)

Alan DeKok-2
On Dec 11, 2018, at 4:44 AM, Deepak Kumar Bhagat <[hidden email]> wrote:
>
> Hi Alan,
>
> As informed earlier, I have created the patch and raised the pull request. Can you please merge the patch to the master branch ??
> Here is the pull request for your reference -  https://github.com/FreeRADIUS/pam_radius/pull/41

  I'll take a look.  On a quick check, it looks fine.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: User Authorization Using 'PAM Authentication Module(pam_radius_auth.so)

Deepak Kumar Bhagat
Thank You!! Alan for considering the patch.

-Deepak Bhagat
________________________________
From: Freeradius-Users <freeradius-users-bounces+deepak.bhagat=[hidden email]> on behalf of Alan DeKok <[hidden email]>
Sent: Tuesday, December 11, 2018 6:09:49 PM
To: FreeRadius users mailing list
Subject: Re: User Authorization Using 'PAM Authentication Module(pam_radius_auth.so)


The e-mail below is from an external source. Please do not open attachments or click links from an unknown or suspicious origin.


On Dec 11, 2018, at 4:44 AM, Deepak Kumar Bhagat <[hidden email]> wrote:
>
> Hi Alan,
>
> As informed earlier, I have created the patch and raised the pull request. Can you please merge the patch to the master branch ??
> Here is the pull request for your reference -  https://github.com/FreeRADIUS/pam_radius/pull/41

  I'll take a look.  On a quick check, it looks fine.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html