Hi; For a long time now, I have been trying to unify the login credentials, in a heterogeneous environment. While I am aware of the few available options, I have decided against them, for varied reasons.
In the last few days, I have been able to produce the effect which I desired, using pam_radius_auth and IAS. All is well, and I am able to SSH-login using my Active directory login credentials. But before I take this to production, I would like to know if this approach is safe - the IAS setting that works says "Unencrypted authentication (PAP)". >From here http://lists.cistron.nl/pipermail/freeradius-users/2006-July/055010.html, I understand that pam_radius_auth 'encrypts' the password. But if a user has the privileges to change the /etc/raddb/server file (and point it to a freeradius server), wouldn't he/she be able to siphon off the credentials? Our setup would disallow direct 'root' logins, over SSH. However, once the user logs in using his/her credentials, they would then be allowed to do a sudo or a privileges escalation. Thereby, opening the possibility of a /etc/raddb/server edit. I know worse things can happen with superuser privileges; however, I am not worried of the bad that can happen to the client machines. Is there a better way, using radius? Please suggest. If this query is a rerun, pointers/references would do. Thank you. Regards, suraj. ____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html