mirror of
https://bitbucket.org/mangelo/snippets.git
synced 2024-11-24 03:40:59 +02:00
Linux radius client.
This commit is contained in:
parent
dab4b018c0
commit
a56af3ba08
@ -3,9 +3,10 @@ Change the text and background color in grub
|
|||||||
|
|
||||||
* /etc/grub.d/99_colors
|
* /etc/grub.d/99_colors
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
echo "set menu_color_highlight=dark-gray/black"
|
exec tail -n +3 $0
|
||||||
echo "set menu_color_normal=black/black"
|
set menu_color_highlight=dark-gray/black
|
||||||
echo "set color_normal=dark-gray/black"
|
set menu_color_normal=black/black
|
||||||
|
set color_normal=dark-gray/black
|
||||||
|
|
||||||
* chmod 755 /etc/grub.d/99_colors
|
* chmod 755 /etc/grub.d/99_colors
|
||||||
|
|
85
linux/radius-client.sh
Normal file
85
linux/radius-client.sh
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
### Linux radius client
|
||||||
|
|
||||||
|
# Notes:
|
||||||
|
For user authentication to a radius server,
|
||||||
|
linux need the local user exist. The pam-radius
|
||||||
|
module not create the local user automatically.
|
||||||
|
To create the local user automatically:
|
||||||
|
Enable the pam-radius module.
|
||||||
|
Enable rsyslog and cron.
|
||||||
|
The user try to login the first time.
|
||||||
|
The the ssh daemon log the incident.
|
||||||
|
Cron execute a script every minute:
|
||||||
|
Read the log file and find the username.
|
||||||
|
Verify the existence of the user with the radius server.
|
||||||
|
Create the local user.
|
||||||
|
The user can login now.
|
||||||
|
|
||||||
|
# Install libpam-radius-auth and radius-utils
|
||||||
|
apt-get install libpam-radius-auth freeradius-utils
|
||||||
|
|
||||||
|
# Edit /etc/pam_radius_auth.conf
|
||||||
|
Add the radius server:
|
||||||
|
SERVER_IP_ADDRESS PRESHARED-KEY TIMEOUT
|
||||||
|
|
||||||
|
# Edit /etc/pam.d/sshd
|
||||||
|
# Edit /etc/pam.d/sudo
|
||||||
|
First line add:
|
||||||
|
auth sufficient pam_radius_auth.so
|
||||||
|
|
||||||
|
# Edit /etc/ssh/sshd_config
|
||||||
|
Change:
|
||||||
|
SyslogFacility LOCAL6
|
||||||
|
LogLevel INFO
|
||||||
|
|
||||||
|
# Edit /etc/rsyslog.conf
|
||||||
|
Add:
|
||||||
|
local6.* -/var/log/sshd.log
|
||||||
|
|
||||||
|
# Enable rsyslog and cron
|
||||||
|
systemctl enable rsyslog.service
|
||||||
|
systemctl enable cron.service
|
||||||
|
|
||||||
|
# Add the radius group
|
||||||
|
addgroup --system radius
|
||||||
|
|
||||||
|
# Create the base dir for homes
|
||||||
|
mkdir /radius
|
||||||
|
chmod 755 /radius
|
||||||
|
|
||||||
|
# Create the script /usr/local/bin/userradius.sh
|
||||||
|
Change RADIUSIP and RADIUSPSK
|
||||||
|
|
||||||
|
#!/bin/bash
|
||||||
|
RADIUSIP='RADIUS_IP_ADDR'
|
||||||
|
RADIUSPSK='RADIUS_PASSWORD'
|
||||||
|
SSHLOG='/var/log/sshd.log'
|
||||||
|
PATH='/usr/sbin:/usr/bin:/sbin:/bin'
|
||||||
|
DIRHME='/radius'
|
||||||
|
LOGFILE='/var/log/radius.log'
|
||||||
|
if [ -s "$SSHLOG" ]; then
|
||||||
|
DNOW=`date '+%d/%m/%Y %H:%M:%S'`
|
||||||
|
cat "$SSHLOG" | grep 'input_userauth_request' | sed -e 's/invalid user /|/' -e 's/ \[preauth\]/|/' | cut -d '|' -f 2 | tr '[A-Z]' '[a-z]' | tr -d '[:blank:]' | sort | uniq | while read NAMEUSR; do
|
||||||
|
VALIDATE=`radtest "$NAMEUSR" 'DUMMYPASS' "$RADIUSIP" '1812' "$RADIUSPSK" 2> /dev/null | grep 'Bad Encrypted password'`
|
||||||
|
if [ ! -z "$VALIDATE" ]; then
|
||||||
|
if [ ! -d "${DIRHME}/${NAMEUSR}" ]; then
|
||||||
|
VALIDATE=`cat /etc/passwd | grep ^${NAMEUSR}`
|
||||||
|
if [ -z "$VALIDATE" ]; then
|
||||||
|
useradd -d "${DIRHME}/${NAMEUSR}" -g 'radius' -m -N -s '/bin/bash' "$NAMEUSR"
|
||||||
|
chmod 700 "${DIRHME}/${NAMEUSR}"
|
||||||
|
echo "${DNOW} - NAMEUSR creado: $NAMEUSR" >> "$LOGFILE"
|
||||||
|
chmod 600 "$LOGFILE"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
truncate -s 0 "$SSHLOG"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Make script executable
|
||||||
|
chmod 750 /usr/local/bin/userradius.sh
|
||||||
|
|
||||||
|
# Add the script to /etc/crontab
|
||||||
|
* * * * * root /usr/local/bin/userradius.sh > /dev/null 2> /dev/null
|
||||||
|
|
||||||
|
# Reboot
|
22
readme.text
22
readme.text
@ -1,24 +1,4 @@
|
|||||||
## Various snippets of code
|
## Various snippets of code
|
||||||
#############################
|
#############################
|
||||||
|
|
||||||
* bridge-stp.sh: Create a bridge.
|
Assorted snippets of code.
|
||||||
|
|
||||||
* cisco-xrv-basic-config.txt : Cisco XRv basic configurations.
|
|
||||||
|
|
||||||
* cisco-xrv-with-qemu.sh: Run Cisco XRv with QEmu.
|
|
||||||
|
|
||||||
* delay-jitter-packetloss.sh: Add delay, jitter and packet loss.
|
|
||||||
|
|
||||||
* grub.txt: Grub configuration.
|
|
||||||
|
|
||||||
* interfaces.sh: Interface with 802.1q configuration.
|
|
||||||
|
|
||||||
* linux-vrf.sh: VRF creation.
|
|
||||||
|
|
||||||
* qemu-asa-patch.sh and qemu-asa-shell.sh: Emulate Cisco ASA with qemu.
|
|
||||||
|
|
||||||
* ssh-server.txt: SSH server configuration.
|
|
||||||
|
|
||||||
* virtualbox.sh: VirtualBox commands.
|
|
||||||
|
|
||||||
* xubuntu-read-only-filesystem.txt: Xubuntu read only root filesystem.
|
|
||||||
|
Loading…
Reference in New Issue
Block a user