Linux radius client.

linux/grub.txt

@@ -3,9 +3,10 @@ Change the text and background color in grub
 
 * /etc/grub.d/99_colors
     #!/bin/sh
-    echo "set menu_color_highlight=dark-gray/black"
-    echo "set menu_color_normal=black/black"
-    echo "set color_normal=dark-gray/black"
+    exec tail -n +3 $0
+    set menu_color_highlight=dark-gray/black
+    set menu_color_normal=black/black
+    set color_normal=dark-gray/black
 
 * chmod 755 /etc/grub.d/99_colors
 

linux/radius-client.sh

@@ -0,0 +1,85 @@
+### Linux radius client
+
+# Notes:
+    For user authentication to a radius server,
+    linux need the local user exist. The pam-radius
+    module not create the local user automatically.
+    To create the local user automatically:
+        Enable the pam-radius module.
+        Enable rsyslog and cron.
+        The user try to login the first time.
+        The the ssh daemon log the incident.
+        Cron execute a script every minute:
+            Read the log file and find the username.
+            Verify the existence of the user with the radius server.
+            Create the local user.
+        The user can login now.
+
+# Install libpam-radius-auth and radius-utils
+    apt-get install libpam-radius-auth freeradius-utils
+
+# Edit /etc/pam_radius_auth.conf
+    Add the radius server:
+        SERVER_IP_ADDRESS  PRESHARED-KEY  TIMEOUT
+
+# Edit /etc/pam.d/sshd
+# Edit /etc/pam.d/sudo
+    First line add:
+        auth sufficient pam_radius_auth.so
+
+# Edit /etc/ssh/sshd_config
+    Change:
+        SyslogFacility LOCAL6
+        LogLevel INFO
+
+# Edit /etc/rsyslog.conf
+    Add:
+        local6.*    -/var/log/sshd.log
+
+# Enable rsyslog and cron
+    systemctl enable rsyslog.service
+    systemctl enable cron.service
+
+# Add the radius group
+    addgroup --system radius
+
+# Create the base dir for homes
+    mkdir /radius
+    chmod 755 /radius
+
+# Create the script /usr/local/bin/userradius.sh
+    Change RADIUSIP and RADIUSPSK
+
+    #!/bin/bash
+    RADIUSIP='RADIUS_IP_ADDR'
+    RADIUSPSK='RADIUS_PASSWORD'
+    SSHLOG='/var/log/sshd.log'
+    PATH='/usr/sbin:/usr/bin:/sbin:/bin'
+    DIRHME='/radius'
+    LOGFILE='/var/log/radius.log'
+    if [ -s "$SSHLOG" ]; then
+        DNOW=`date '+%d/%m/%Y %H:%M:%S'`
+        cat "$SSHLOG" | grep 'input_userauth_request' | sed -e 's/invalid user /|/' -e 's/ \[preauth\]/|/' | cut -d '|' -f 2 | tr '[A-Z]' '[a-z]' | tr -d '[:blank:]' | sort | uniq | while read NAMEUSR; do
+            VALIDATE=`radtest "$NAMEUSR" 'DUMMYPASS' "$RADIUSIP" '1812' "$RADIUSPSK" 2> /dev/null | grep 'Bad Encrypted password'`
+            if [ ! -z "$VALIDATE" ]; then
+                if [ ! -d "${DIRHME}/${NAMEUSR}" ]; then
+                    VALIDATE=`cat /etc/passwd | grep ^${NAMEUSR}`
+                    if [ -z "$VALIDATE" ]; then
+                        useradd -d "${DIRHME}/${NAMEUSR}" -g 'radius' -m -N -s '/bin/bash' "$NAMEUSR"
+                        chmod 700 "${DIRHME}/${NAMEUSR}"
+                        echo "${DNOW} - NAMEUSR creado: $NAMEUSR" >> "$LOGFILE"
+                        chmod 600 "$LOGFILE"
+                    fi
+                fi
+            fi
+        done
+        truncate -s 0 "$SSHLOG"
+    fi
+
+# Make script executable
+    chmod 750 /usr/local/bin/userradius.sh
+
+# Add the script to /etc/crontab
+    * * * * * root /usr/local/bin/userradius.sh > /dev/null 2> /dev/null
+
+# Reboot

readme.text

@@ -1,24 +1,4 @@
 ## Various snippets of code
 #############################
 
-* bridge-stp.sh: Create a bridge.
-
-* cisco-xrv-basic-config.txt : Cisco XRv basic configurations.
-
-* cisco-xrv-with-qemu.sh: Run Cisco XRv with QEmu.
-
-* delay-jitter-packetloss.sh: Add delay, jitter and packet loss.
-
-* grub.txt: Grub configuration.
-
-* interfaces.sh: Interface with 802.1q configuration.
-
-* linux-vrf.sh: VRF creation.
-
-* qemu-asa-patch.sh and qemu-asa-shell.sh: Emulate Cisco ASA with qemu.
-
-* ssh-server.txt: SSH server configuration.
-
-* virtualbox.sh: VirtualBox commands.
-
-* xubuntu-read-only-filesystem.txt: Xubuntu read only root filesystem.
+Assorted snippets of code.