Wow! GOOD STUFF!
This is what PLUG is about! Thanks Do good stuff Dan On Jul 9, 2011, at 9:35 PM, fooler mail wrote: > On Fri, Jul 8, 2011 at 8:39 AM, Ramil Galib <[email protected]> wrote: >> Thanks for the ideas. >> Haven't look into pam radius yet. >> Here's the setup: >> In our lan, users (the students) are allowed only 100 hours of free >> computer use. Beyond that they have to pay for a minimal amount. I >> want to keep track of their total login time in the network so that >> when they reach the limit, maybe their account be temporarily disabled >> and when enabled they will be billed accordingly. Also they have >> printing quotas. >> So my idea is: >> There is a server for centralized authentication. >> They have to ssh first to the log time tracking server. There I will >> use acct to account the login times. >> After they ssh, they will be given the gnome wm for their things to do. >> The ssh connection must be persistent until they logout gnome. >> Is this feasible? or some alternatives? >> TIA > > i'll show you how pam radius works so that you will have an idea how > to solve your problem.. > > you need radius server for your centralized authentication and > accounting needs... > > you need pam radius installed in linux host for authentication and > accounting (as well as centralized change password)... > > i downloaded freeradius (http://freeradius.org/) as this popular > opensource radius software have pam radius package along with it > (http://freeradius.org/pam_radius_auth/) > > according to freeradius author.. it tested in redhat 4 and 5... so i > downloaded redhat 3 for testing purposes as well as show it to you how > it works.. > > below is debug log output of radius server... pam radius installed in > linux host with ip address of 1.0.0.1.. > > at the console terminal that using "login" program... when i type > username "fooler" and password "testing" and it successfuly > authenticated.. this is what it received by radius server from pam > radius host.. > > radius access-request: > > rad_recv: Access-Request packet from host 1.0.0.1 port 3113, id=108, length=75 > User-Name = "fooler" > User-Password = "testing" > NAS-IP-Address = 1.0.0.1 > NAS-Identifier = "login" > NAS-Port = 2088 > NAS-Port-Type = Virtual > Service-Type = Authenticate-Only > > radius accounting-request: > > rad_recv: Accounting-Request packet from host 1.0.0.1 port 3113, > id=73, length=73 > User-Name = "fooler" > NAS-IP-Address = 1.0.0.1 > NAS-Identifier = "login" > NAS-Port = 2088 > NAS-Port-Type = Virtual > Acct-Status-Type = Start > Acct-Session-Id = "00002088" > Acct-Authentic = RADIUS > > my linux host IP goes to radius attribute name called > "NAS-IP-Address".. accounting-request started (Acct-Status-Type = > Start) with session ID 2008 (Acct-Session-Id).. purpose of session ID > is that the same user can have multiple connections at the same time > and differentiated by the session ID number... but you can control > that with your radius server if that user is allowed for multiple > connections or not... depends on your policy... > > after i logout... pam radius host sent another accounting request... > > rad_recv: Accounting-Request packet from host 1.0.0.1 port 3113, > id=127, length=79 > User-Name = "fooler" > NAS-IP-Address = 1.0.0.1 > NAS-Identifier = "login" > NAS-Port = 2088 > NAS-Port-Type = Virtual > Acct-Status-Type = Stop > Acct-Session-Id = "00002088" > Acct-Authentic = RADIUS > Acct-Session-Time = 76 > > this time.. radius attribute Acct-Status-Type is now Stop.. meaning it > ended its session (session ID 2088).. the time for the whole session > it consumed is registered in radius attribute Acct-Session-Time... > which is 76 seconds... > > another example.... instead of logging to terminal console.. i use ssh > client to remotely connect to pam radius host 1.0.0.1... below its > radius transaction received by the radius server... > > rad_recv: Access-Request packet from host 1.0.0.1 port 3500, id=54, length=85 > User-Name = "fooler" > User-Password = "testing" > NAS-IP-Address = 1.0.0.1 > NAS-Identifier = "sshd" > NAS-Port = 2475 > NAS-Port-Type = Virtual > Service-Type = Authenticate-Only > rad_recv: Accounting-Request packet from host 1.0.0.1 port 3502, > id=145, length=72 > User-Name = "fooler" > NAS-IP-Address = 1.0.0.1 > NAS-Identifier = "sshd" > NAS-Port = 2477 > NAS-Port-Type = Virtual > Acct-Status-Type = Start > Acct-Session-Id = "00002477" > Acct-Authentic = RADIUS > rad_recv: Accounting-Request packet from host 1.0.0.1 port 3502, > id=142, length=78 > User-Name = "fooler" > NAS-IP-Address = 1.0.0.1 > NAS-Identifier = "sshd" > NAS-Port = 2477 > NAS-Port-Type = Virtual > Acct-Status-Type = Stop > Acct-Session-Id = "00002477" > Acct-Authentic = RADIUS > Acct-Session-Time = 129 > > take note of NAS-Identifier.. it shows "sshd".. when im at console > terminal.. its NAS-Identifier is "login"... you mentioned gnome.. its > gdm is pam aware.. if i use gnome.. it will show as "gdm" in > NAS-Identifier.. > > in redhat (as well as other variants of linux OSes)... all pam aware > applications resides in /etc/pam.d directory... you will see there.. > login, sshd, gdm, etc... but these pam aware applications are calling > the system wide filename "/etc/pam.d/system-auth".. i put these two > lines in /etc/pam.d/system-auth: > > auth sufficient /lib/security/pam_radius_auth.so > session sufficient /lib/security/pam_radius_auth.so > > "auth" line is doing the authentication while "session" line is doing > the accounting... > > pam_radius_auth.so in "auth" line must be before or just above the > line of pam_unix.so in auth group > > pam_radius_auth.so in "session" line must be before or just above the > line of pam_unix.so in session group > > because i put those two lines in system wide file.. all pam aware > applications in /etc/pam.d directory called pam_radius_auth.so.. > > if you want for ssh only.. move that from system wide file to sshd > file... just make sure you turn it off public key authentication and > force to use password based authentication as i noticed ssh is not > using pam session or accounting when public key authentication is > being used during my testing... because its redhat 3 and its ssh > package is an old version.. perhaps a bug i think on ssh ... > > freeradius is able to use any popular relational database... store > all radius transaction to that database... when database receives.. > accounting stop with session time... deduct that to its remaining > time... when user try to authenticate again... radius server queried > that database.. database must return allowed or denied access based on > the time remaining and/or extra logic like allowed day and time to > login... > > so there goes that solve your time remaining problem... > > for printing accounting... i havent use "cups" but try to look at it > if fits for your needs... oh by the way.. cups is pam aware too... > > for automatic logout when time remaining goes to zero... although... > radius has attribute name called "Session-Timeout".. freeradius' pam > module didnt used that attribute.. to solve automatic logout.. it > needs a little creativity on your side.. like for example... you know > its username and time remaining from the database record... you need > customized timer application when its time expired.. remote login to > that pam host and kick that user... > > so i hope you have now a basic idea about pam radius... > > fooler... > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
