我一直在研究ssh(openssh)和radius。
我想做什么:
使用存储在radius服务器或ldap存储中的凭据(用户名和密码)SSH连接到设备。我一直在线阅读,有些人指出在radius服务器的后台运行ldap服务器。这将起作用,但仅在本地计算机中找到用户时才有效。
问题: 有没有办法让我通过包含凭据的radius服务器登录ssh(或telnet)到我的设备?如果没有,客户端(我尝试连接的机器)有一种方法获取更新的凭证列表,并从中央位置(无论是半径服务器还是sql数据库等)本地存储它。
我已经能够通过Radius进行连接,但仅限于本地帐户,但是例如,如果我尝试连接本地不存在的帐户(客户端方式)我得到“不正确”
这是半径输出: 代码:
rad_recv: Access-Request packet from host 192.168.4.1 port 5058, id=219, length=85 User-Name = "klopez"
User-Password = "\010\n\r\177INCORRECT"
NAS-Identifier = "sshd"
NAS-Port = 4033
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "192.168.4.200"
代码:
[ldap] performing user authorization for klopez[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> klopez
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=klopez)
[ldap] expand: dc=lab,dc=local -> dc=lab,dc=local
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=lab,dc=local, with filter (uid=klopez)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] userPassword -> Cleartext-Password == "somepass"
[ldap] userPassword -> Password-With-Header == "somepass"
[ldap] looking for reply items in directory...
[ldap] user klopez authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains "known good" password. Ignoring Password-With-Header
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "? INCORRECT"
[pap] Using clear text password "somepass"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> klopez
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
我还安装了pam_radius,并且正常工作(可以登录本地存在的帐户)。虽然我读过这篇文章并且不知道这是否100%准确:
http://freeradius.1045715.n5.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-td2784316.html 和 http://fhf.org/archives/713
TL:DR: 我需要ssh到一台没有用户/本地传递的机器,并且该组合将被远程存储,例如radius服务器或ldap。
请告知
P.S。
最好使用radius server或ldap解决方案,但不是必需的。如果有候补请告知。
谢谢,
凯文
答案 0 :(得分:2)
您可以将SSH配置为使用PAM LDAP直接针对LDAP服务器进行身份验证。
我自己在Debian Systems上进行了设置: https://wiki.debian.org/LDAP/PAM https://wiki.debian.org/LDAP/NSS
您需要同时使用PAM和NSS才能使SSH正常工作。您还需要在SSH配置中启用PAM。在Debian(或Ubuntu)系统上安装libnss-ldapd libpam-ldapd和nslcd软件包。