此时我已经正确安装了 freeradius 和 PAM radius 。当我在系统上创建帐户并在 /etc/raddb/users.conf 中设置密码时,用户可以登录。 Sudo 也适用于 PAM 半径。
我想要实现的是当我在 /etc/raddb/users.conf 中创建用户并重新加载配置时。如果 Radius 身份验证成功,将创建帐户和主目录。
我尝试了很多事情,包括session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
没有系统用户帐户登录的最后日志行。
Feb 23 18:59:17 localhost sshd[3353]: pam_unix(sshd:auth): check pass; user unknown
Feb 23 18:59:18 localhost sshd[3353]: Failed password for invalid user pop from 192.168.0.115 port 53608 ssh2
Feb 23 18:59:18 localhost sshd[3353]: Connection closed by 192.168.0.115 [preauth]
Feb 23 18:59:18 localhost sshd[3353]: PAM 3 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=danys-mbp.fritz.box
Feb 23 18:59:18 localhost sshd[3353]: PAM service(sshd) ignoring max retries; 4 > 3
Feb 23 18:59:18 localhost sshd[3358]: Invalid user pop from 192.168.0.115
Feb 23 18:59:18 localhost sshd[3358]: input_userauth_request: invalid user pop [preauth]
Feb 23 18:59:21 localhost sshd[3358]: pam_unix(sshd:auth): check pass; user unknown
Feb 23 18:59:21 localhost sshd[3358]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=danys-mbp.fritz.box
Feb 23 18:59:22 localhost sshd[3358]: Failed password for invalid user pop from 192.168.0.115 port 53609 ssh2
我的 PAM sshd 配置
#%PAM-1.0
auth required pam_sepermit.so
auth sufficient pam_radius_auth.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
#account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
使用 freeradius 和 PAM radius 时是否可以在登录时创建系统帐户和主目录?如果是这样,这是如何运作的?
ps:我使用的是CentOS 7。
编辑:我尝试使用 bash 脚本来检查用户是否存在。然后,如果它不存在,则创建它,但这将不起作用,并且我没有看到 pam_exec.so 失败的任何日志输出。
编辑:radtest 告诉我用户名和密码是正确的
答案1
在 CentOS 7 上你可以使用jeroennijhof/pam_script做你想做的事。
安装rpm:
sudo yum install epel-release.noarch sudo yum install pam_script
将这些行添加到此文件 /etc/pam.d/sshd 中:
auth optional /usr/lib64/security/pam_script.so auth sufficient /usr/lib64/security/pam_radius_auth.so #added to include radius
如果不存在则创建脚本目录:
sudo mkdir /etc/pam-script.d/
将这些行添加到此文件 /etc/pam-script.d/pam_script_auth:
#add user logger Adding New User $PAM_USER useradd $PAM_USER echo $PAM_USER:U6aMy0wojraho | sudo chpasswd -e