2017-08-23 18:16:38 +03:00
|
|
|
### Linux radius client
|
|
|
|
|
|
|
|
# Notes:
|
|
|
|
For user authentication to a radius server,
|
|
|
|
linux need the local user exist. The pam-radius
|
|
|
|
module not create the local user automatically.
|
|
|
|
To create the local user automatically:
|
|
|
|
Enable the pam-radius module.
|
|
|
|
Enable rsyslog and cron.
|
2017-10-02 13:47:49 +03:00
|
|
|
The user try to login the first time (and fail).
|
2017-08-23 18:16:38 +03:00
|
|
|
The the ssh daemon log the incident.
|
|
|
|
Cron execute a script every minute:
|
|
|
|
Read the log file and find the username.
|
|
|
|
Verify the existence of the user with the radius server.
|
|
|
|
Create the local user.
|
|
|
|
The user can login now.
|
|
|
|
|
|
|
|
# Install libpam-radius-auth and radius-utils
|
|
|
|
apt-get install libpam-radius-auth freeradius-utils
|
|
|
|
|
|
|
|
# Edit /etc/pam_radius_auth.conf
|
|
|
|
Add the radius server:
|
|
|
|
SERVER_IP_ADDRESS PRESHARED-KEY TIMEOUT
|
|
|
|
|
|
|
|
# Edit /etc/pam.d/sshd
|
|
|
|
# Edit /etc/pam.d/sudo
|
|
|
|
First line add:
|
|
|
|
auth sufficient pam_radius_auth.so
|
|
|
|
|
|
|
|
# Edit /etc/ssh/sshd_config
|
|
|
|
Change:
|
|
|
|
SyslogFacility LOCAL6
|
|
|
|
LogLevel INFO
|
|
|
|
|
|
|
|
# Edit /etc/rsyslog.conf
|
|
|
|
Add:
|
|
|
|
local6.* -/var/log/sshd.log
|
|
|
|
|
|
|
|
# Enable rsyslog and cron
|
|
|
|
systemctl enable rsyslog.service
|
|
|
|
systemctl enable cron.service
|
|
|
|
|
|
|
|
# Add the radius group
|
|
|
|
addgroup --system radius
|
|
|
|
|
|
|
|
# Create the base dir for homes
|
|
|
|
mkdir /radius
|
|
|
|
chmod 755 /radius
|
|
|
|
|
|
|
|
# Create the script /usr/local/bin/userradius.sh
|
|
|
|
Change RADIUSIP and RADIUSPSK
|
|
|
|
|
|
|
|
#!/bin/bash
|
|
|
|
RADIUSIP='RADIUS_IP_ADDR'
|
|
|
|
RADIUSPSK='RADIUS_PASSWORD'
|
|
|
|
SSHLOG='/var/log/sshd.log'
|
|
|
|
PATH='/usr/sbin:/usr/bin:/sbin:/bin'
|
|
|
|
DIRHME='/radius'
|
|
|
|
LOGFILE='/var/log/radius.log'
|
|
|
|
if [ -s "$SSHLOG" ]; then
|
|
|
|
DNOW=`date '+%d/%m/%Y %H:%M:%S'`
|
|
|
|
cat "$SSHLOG" | grep 'input_userauth_request' | sed -e 's/invalid user /|/' -e 's/ \[preauth\]/|/' | cut -d '|' -f 2 | tr '[A-Z]' '[a-z]' | tr -d '[:blank:]' | sort | uniq | while read NAMEUSR; do
|
|
|
|
VALIDATE=`radtest "$NAMEUSR" 'DUMMYPASS' "$RADIUSIP" '1812' "$RADIUSPSK" 2> /dev/null | grep 'Bad Encrypted password'`
|
|
|
|
if [ ! -z "$VALIDATE" ]; then
|
|
|
|
if [ ! -d "${DIRHME}/${NAMEUSR}" ]; then
|
|
|
|
VALIDATE=`cat /etc/passwd | grep ^${NAMEUSR}`
|
|
|
|
if [ -z "$VALIDATE" ]; then
|
|
|
|
useradd -d "${DIRHME}/${NAMEUSR}" -g 'radius' -m -N -s '/bin/bash' "$NAMEUSR"
|
|
|
|
chmod 700 "${DIRHME}/${NAMEUSR}"
|
|
|
|
echo "${DNOW} - NAMEUSR creado: $NAMEUSR" >> "$LOGFILE"
|
|
|
|
chmod 600 "$LOGFILE"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
truncate -s 0 "$SSHLOG"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# Make script executable
|
|
|
|
chmod 750 /usr/local/bin/userradius.sh
|
|
|
|
|
|
|
|
# Add the script to /etc/crontab
|
|
|
|
* * * * * root /usr/local/bin/userradius.sh > /dev/null 2> /dev/null
|
|
|
|
|
|
|
|
# Reboot
|