> Dustin any input on this one? > > Maqbool Hashim wrote: > > > Hi there, > > > > I've finally come to a decision as to what sort of backend we're going > > to use. Thanks for all the discussion it was very helpful in coming > > to the final decision. Heres what I'm going to go with: > > > > Use the UNIX password file on the machine that holds the radius server > > to authenticate users against. Users will be able to add users on > > that machine, with a special login. They won't have access to the > > radius configuration files at all. Users will only be able to login > > to the RADIUS machine over the LAN. > > > > The idea is that we trust our users and they will only be allowed to > > login to the RADIUS machine over the LAN. I was thinking of creating > > a UNIX login, which instead of providing a shell, executes a script to > > add the new radius user. > > > > Ideas on doing this as securely as possible would be appreciated. I > > have freeradius running on OpenBSD. > >
We have something similar to this in our network. Users can telnet into the box and they don't get a shell, but instead are given some kind of menu. Its been years since I've looked at it, but I'll see if I can track down if we still have it and see if I can find anything about it. Maybe I can send you a partial copy of the code, or at least how it was built and with what tools. -Dusty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
