1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
.TH radius_shell 8
.\" Copyright 2018 Cumulus Networks, Inc. All rights reserved.
.SH NAME
radius_shell - front end shell for radius users
.SH SYNOPSIS
.B /sbin/radius_shell
is RADIUS client front end shell that will ensure that the euid, and the uid is set
to the auid (the accounting uid).
.SH DESCRIPTION
This shell front-end needed because at login, it's
not possible to determine if a user is privileged up front, because
the RADIUS protocol combines authentication and authorization in a single
transaction.
.P
That means that all RADIUS users login as the same base mapped user and therefore
the same UID, although the auid will be set differently.
.P
The
.B radius_shell
is installed with setcap permissions that allow it to set the uid.
It is set as the login shell for the radius users via the
.I libnss-mapuser
package.
.P
For security, the uid of the process is only changed if the auid is set,
and is 1000 or larger (this is the normal minimum uid for non-privileged
users via
.I adduser
and
.IR useradd .
The value is hardcoded in the source, it is not read from the
.I adduser.conf
configuration file.
.P
Whether the uid is changed or not, a login shell is exec'ed.
At this time, the login shell is only
.BR /bin/bash ,
although the other shells listed in
.I /etc/shells
may be allowed in the future.
.SH NOTE
If a site wants to allow local fallback authentication of a user when
none of the RADIUS servers respond, a privileged user account with the
same name as a RADIUS privileged user should be added as a local account,
and the local account must have the same uid as the mapping privileged
user, and the shell must be this shell.
.P
For example, if the
.B radius_priv_user
account in
.I /etc/passwd
is:
.in +3
.B "radius_priv_user:x:1002:1001::/home/radius_priv_user:/sbin/radius_shell"
.P
then the command to add a local privileged user account named
.B olsonadmin
would be
.in +3
.B "sudo useradd -u 1002 -g 1001 -o -s /sbin/radius_shell olsonadmin"
.P
Additionally, if you want the user to be able to run
.I sudo
and
.IR nclu ( net )
commands, you will also need to run the commands
.in +3
.B "sudo adduser olsonadmin netedit"
.br
.B "sudo adduser olsonadmin sudo"
.br
.B "sudo systemctl restart netd"
.P
Finally, edit the password file to move the local user prior to the
.B radius_priv_user
line in the passwd file, using the command
.in +3
.B "sudo vipw"
.in -3
Set the local password for the user
.in +3
.B "sudo passwd olsonadmin"
.in -3
.P
These extra steps are needed to the limitations of mapping RADIUS users, and the
limitations of the RADIUS protocol.
.SH "SEE ALSO"
.BR setcap (8),
.BR pam_radius_auth (8),
.BR adduser (8),
.BR useradd (8),
.BR vipw "(8), and"
.BR nss_mapuser (5)
.SH FILES
.SH AUTHOR
Dave Olson <olson@cumulusnetworks.com>
|