[olug] Using RADIUS roles for sudoers

Damian Harouff cekkent at gmail.com
Thu Feb 5 08:49:55 CST 2015 

That's the conclusion I was drawing too. Thank you for the confirmation.

-Damian

On Wed, Feb 4, 2015 at 10:43 PM, Christopher Cashell <topher-olug at zyp.org>
wrote:

> On Wed, Feb 4, 2015 at 10:20 AM, Damian Harouff <cekkent at gmail.com> wrote:
>
> > I've recently encountered an existing system where the company already
> has
> > a RADIUS server set up for authentication, including SSH and sudo, but
> they
> > would like to also use the RADIUS roles to determine what commands can be
> > executed via sudo.
> >
> > I know that sudo has the ability to use LDAP for this, but LDAP isn't
> > available, and the company is not interested in an LDAP server.
> >
> > The Google did not turn up much. Anyone ever done this before?
> >
>
> ​I've done sudo with LDAP, and I've done auth with RADIUS.  I've never done
> sudo with RADIUS.  A little bit of poking around doesn't turn up much, and
> previous experience with the two makes me think you'll have a lot of
> challenges and limitations getting it to work.
>
> Even if you could get it to work in a very limited form, you're going to
> miss out on a lot of the available sudo functionality.
>
> RADIUS is great for strict AAA, but LDAP has a level of flexibility that
> goes way beyond that.  In order for sudo to properly map /etc/sudoers to
> LDAP, an LDAP Schema​ was created.  sudo has special support written into
> it to support LDAP.  Nothing like that exists for RADIUS.
>
> I may be wrong, but I don't think you'll be able to get this to work.  PAM
> is geared more around the Authentication aspect of AAA than it is the
> Authorization.  And sudo only supports file (/etc/sudoers) and LDAP for
> Authorization, as far as I know.
>
> If the company in question has an Active Directory environment, recent AD
> releases (Windows 2003R2 and later) have reasonable support for adding
> custom schemas.  It is possible to store sudo information in an Active
> Directory Server.
>
> --
> Christopher
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list