[Pam-ssh-users] single sign on with Radius
Brought to you by:
rosenauer
Menu
▾
▴
[Pam-ssh-users] single sign on with Radius
|
From: <ac...@ar...> - 2007-08-22 13:55:39
|
I am trying to set up SSH on some client hosts such that all users can be a= uthenticated from our common Radius server and single sign-on is provided. SSH today provides the SSH-Agent. The SSH-Agent holds a user's private keys= and these must be added manually for each session. There are two drawbacks= that I would like to get around: * The private keys must be added manually on each session to the ssh-agent= using ssh-add=20 * The private keys must be made available locally on each client host a pa= rticular user is potentially using. I wonder if there is a solution where the user authenticates once to e.g. t= he ssh-agent using the Radius server. The ssh-agent then maintains the user= 's credentials in memory for all subsequent SSH usage. At the end of the lo= gin session the ssh-agent is terminated, and thus the user's credentials ar= e deleted. An even better solution would be to do authentication only once during logi= n and to transmit the user credentials from login (also using Radius in our= case) to an ssh-agent. I understand that pam_ssh already does this part bu= t still relies on locally stored private keys. Is there a way to get rid of= these and use e.g. the Radius server instead? This could be done either by= obtaining the private keys from the Radius server or just use user id and = password to authenticate to the sshd (without private/public keys). Regards,=20 Andreas Lemke=20 Viel oder wenig? Schnell oder langsam? Unbegrenzt surfen + telefonieren ohne Zeit- und Volumenbegrenzung? DAS TOP ANGEBOT F=DCR ALLE NEUEINSTEIGER Jetzt bei Arcor: g=FCnstig und schnell mit DSL - das All-Inclusive-Paket f=FCr clevere Doppel-Sparer, nur 34,95 =80 inkl. DSL- und ISDN-Grundgeb= =FChr! http://www.arcor.de/rd/emf-dsl-2 |
