Sorry, what I'm trying to ask is:
Most secure way to create a unix login whose sole function is to execute adduser to add users to the /etc/passwd file. I'm running openbsd. Hmmm... as I finish writing this question it looks like this is rather off topic. Anyhows any ideas welcome.
Thanks
Dustin Doris wrote:
Dustin any input on this one?
Maqbool Hashim wrote:
Hi there,
I've finally come to a decision as to what sort of backend we're going to use. Thanks for all the discussion it was very helpful in coming to the final decision. Heres what I'm going to go with:
Use the UNIX password file on the machine that holds the radius server to authenticate users against. Users will be able to add users on that machine, with a special login. They won't have access to the radius configuration files at all. Users will only be able to login to the RADIUS machine over the LAN.
The idea is that we trust our users and they will only be allowed to login to the RADIUS machine over the LAN. I was thinking of creating a UNIX login, which instead of providing a shell, executes a script to add the new radius user.
Ideas on doing this as securely as possible would be appreciated. I have freeradius running on OpenBSD.
We have something similar to this in our network. Users can telnet into the box and they don't get a shell, but instead are given some kind of menu. Its been years since I've looked at it, but I'll see if I can track down if we still have it and see if I can find anything about it.
Maybe I can send you a partial copy of the code, or at least how it was built and with what tools.
-Dusty
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
