In article <[EMAIL PROTECTED]>, Bona <[EMAIL PROTECTED]> wrote: >I am trying to implement Freeradius in production environment. I have a >couple questions: > >Here is the config: > >1 - Corporate users and bastion host are on different legs of the same >firewall (Same building) >2 - Production Network is on the other side of the firewall and in >geograpgically different area. >3 - User ssh to the bastion host >and from the bastion host, they ssh in the production server as root. > >Goal: > >1 - Avoid to have each user using root and provide accounting for each >user. But still use ssh to connect to production machine. >2 - Implement freeradius to satisfy this requirement. > >Question: > >1 - Where would I install Freeradius radius?
Nowhere, I guess. >2 - How would the NAS intercept the login info and forward it to Freeradius. Depends on the NAS, but I don't know of any NASes that have can act as a ssh client on behalf of the user. >3 - How doea freeradius handle ssh Not at all. It is a radius server, it doesn't have anything to do with ssh. Sounds like someone said 'solve this problem. Use ssh and radius' and you're just struggling to get a hold on this problem, right? ;) Do it differently. Let the users dial in on the NAS and use PPP, so they can set up an IP connection. Then install an ssh 'gateway' on the bastion host. This is just a script that asks the user for a loginname, and a host to connect to, and then executes ssh to the internal host. The 'gateway script' would only be reached by ssh'ing to the bastion host. Just set ssh up so that ONLY this script can be executed by the user - set the shell of the users to the scripts, or something. In the script, you can easily log all you want. No radius needed. Or something... Mike. -- Computers are useless, they only give answers. --Pablo Picasso - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
