4

At this moment i have installed freeradius and PAM radius properly. When i create an account on the system and set a password in /etc/raddb/users.conf the user can login. Sudo also works great with PAM radius.

What i want to achieve is when i create a user in /etc/raddb/users.conf and reload the config. That the account and home dir will be created if the authentication for Radius succeeds.

I tried many things including session required pam_mkhomedir.so skel=/etc/skel/ umask=0022

The last log lines from the login without a system user account.

Feb 23 18:59:17 localhost sshd[3353]: pam_unix(sshd:auth): check pass; user unknown
Feb 23 18:59:18 localhost sshd[3353]: Failed password for invalid user pop from 192.168.0.115 port 53608 ssh2
Feb 23 18:59:18 localhost sshd[3353]: Connection closed by 192.168.0.115 [preauth]
Feb 23 18:59:18 localhost sshd[3353]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=danys-mbp.fritz.box
Feb 23 18:59:18 localhost sshd[3353]: PAM service(sshd) ignoring max retries; 4 > 3
Feb 23 18:59:18 localhost sshd[3358]: Invalid user pop from 192.168.0.115
Feb 23 18:59:18 localhost sshd[3358]: input_userauth_request: invalid user pop [preauth]
Feb 23 18:59:21 localhost sshd[3358]: pam_unix(sshd:auth): check pass; user unknown
Feb 23 18:59:21 localhost sshd[3358]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=danys-mbp.fritz.box
Feb 23 18:59:22 localhost sshd[3358]: Failed password for invalid user pop from 192.168.0.115 port 53609 ssh2

My config for PAM sshd

#%PAM-1.0
auth       required pam_sepermit.so
auth sufficient pam_radius_auth.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
#account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

Is it possible to create the system account and home directory on login when using freeradius and PAM radius? If so, how does this work?

ps : I am using CentOS 7.

Edit : I have tried with a bash script to check if the user exists. Then to create it if it does not exist, but this will not work and i do not see any log output for pam_exec.so failing.

Edit : radtest tells me the username and password are correct

Dany
  • 231
  • 2
  • 10

1 Answers1

0

On CentOS 7 you can use jeroennijhof/pam_script to do just what you want.

  • Install the rpm:

    sudo yum install epel-release.noarch sudo yum install pam_script

  • Add these lines to this file /etc/pam.d/sshd:

    auth optional /usr/lib64/security/pam_script.so auth sufficient /usr/lib64/security/pam_radius_auth.so #added to include radius

  • create the scripts directory if it doesn't exist:

    sudo mkdir /etc/pam-script.d/

  • Add these lines to this file /etc/pam-script.d/pam_script_auth:

    #add user logger Adding New User $PAM_USER useradd $PAM_USER echo $PAM_USER:U6aMy0wojraho | sudo chpasswd -e

Shōgun8
  • 695
  • 5
  • 16