SSH + Radius + LDAP

Question

I have been doing a lot of research on ssh (openssh) and radius.

What I want to do:

SSH in to equipment with credentials (username and password) stored in either on a radius server or ldap store. I have been reading online and some people point to having an ldap server running in the background of your radius server. This will work, but will only work if the user is found in the local machine.

The problem: Is there a way for me to ssh (or telnet) in to my equipment by logging in via a radius server that contains the credentials? if not is there a way for the client (the machine I am trying to connect to) get an updated list of credentials and store it locally from a central location (whether it be a radius server or an sql database etc).

I have been able to connect via Radius but only on accounts that are local, but for example if I try to connect with an account that does not exist locally (client-wise) I get "incorrect"

Here is the radius output: Code:

rad_recv: Access-Request packet from host 192.168.4.1 port 5058, id=219, length=85  User-Name = "klopez"
    User-Password = "\010\n\r\177INCORRECT"
    NAS-Identifier = "sshd"
    NAS-Port = 4033
    NAS-Port-Type = Virtual
    Service-Type = Authenticate-Only
    Calling-Station-Id = "192.168.4.200"

Code:

[ldap] performing user authorization for klopez[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap]     ... expanding second conditional
[ldap]     expand: %{User-Name} -> klopez
[ldap]     expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=klopez)
[ldap]     expand: dc=lab,dc=local -> dc=lab,dc=local
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=lab,dc=local, with filter (uid=klopez)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
  [ldap] userPassword -> Cleartext-Password == "somepass"
  [ldap] userPassword -> Password-With-Header == "somepass"
[ldap] looking for reply items in directory...
[ldap] user klopez authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Config already contains "known good" password.  Ignoring Password-With-Header
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "?  INCORRECT"
[pap] Using clear text password "somepass"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
  WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> klopez
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds

I also have pam_radius installed, and its working (can log in on a account that exists locally). Although I read this and do not know if this is 100% accurate:

http://freeradius.1045715.n5.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-td2784316.html and http://fhf.org/archives/713

tl:dr: I need to ssh into a machine that does not have a user/pass locally and that combination will be stored remotely, such as a radius server or ldap.

please advise

P.S.

The solution is preferable using radius server or ldap but not necessary. If there is an alternate please advise.

Thanks,

Kevin

Answer 1

You can configure SSH to authenticate directly against an LDAP server using PAM LDAP.

I've set it up myself on Debian Systems: https://wiki.debian.org/LDAP/PAM https://wiki.debian.org/LDAP/NSS

You need to have both PAM and NSS to get SSH working. You also need to enable PAM in your SSH configuration. Install the libnss-ldapd libpam-ldapd and nslcd packages on Debian (or Ubuntu) system.