suraj shankar wrote: > I understand that pam_radius_auth 'encrypts' the > password. But if a user has the privileges to change > the /etc/raddb/server file (and point it to a > freeradius server), wouldn't he/she be able to siphon > off the credentials?
Yes. > Our setup would disallow direct 'root' logins, over > SSH. However, once the user logs in using his/her > credentials, they would then be allowed to do a sudo > or a privileges escalation. Thereby, opening the > possibility of a /etc/raddb/server edit. So... why are you giving people root access if you don't trust them? > I know worse things can happen with superuser > privileges; however, I am not worried of the bad that > can happen to the client machines. > > Is there a better way, using radius? Please suggest. > If this query is a rerun, pointers/references would > do. Thank you. Any solution would have exactly the same security issues. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
