[olug] Using RADIUS roles for sudoers

Noel Leistad noel at metc.net
Wed Feb 4 13:17:41 CST 2015 

On 02/04/2015 12:52 PM, Kevin wrote:
> How about this then? Using sudo, everyone is allowed to do everything. But
> with RADIUS, users are restricted.
> On Feb 4, 2015 12:48 PM, "Damian Harouff" <cekkent at gmail.com> wrote:
>
>> That's what I've got in place at the moment, but that only seems to cover
>> the password authentication; after authentication via the PAM module for
>> RADIUS, sudo still attempts to read from /etc/sudoers to see if the
user is
>> indeed allowed to do anything. Unless I has the dumb and there's
something
>> I'm missing.
>>
>> On Wed, Feb 4, 2015 at 12:42 PM, Kevin <sharpestmarble at gmail.com> wrote:
>>
>>> Have you looked at pam? There's a RADIUS Pam connector that looks
like it
>>> might do what you want if you put it into /etc/pam.d/sudo
>>> On Feb 4, 2015 10:21 AM, "Damian Harouff" <cekkent at gmail.com> wrote:
>>>
>>>> I've recently encountered an existing system where the company already
>>> has
>>>> a RADIUS server set up for authentication, including SSH and sudo, but
>>> they
>>>> would like to also use the RADIUS roles to determine what commands can
>> be
>>>> executed via sudo.
>>>>
>>>> I know that sudo has the ability to use LDAP for this, but LDAP isn't
>>>> available, and the company is not interested in an LDAP server.
>>>>
>>>> The Google did not turn up much. Anyone ever done this before?
>>>> _______________________________________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://lists.olug.org/mailman/listinfo/olug
>>>>
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://lists.olug.org/mailman/listinfo/olug
>>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://lists.olug.org/mailman/listinfo/olug
>>
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://lists.olug.org/mailman/listinfo/olug
>
>
Since my Kindle isn't with today, I can't confirm, but I found a pretty
good book and I remember it discussing LDAP and I'm pretty sure RADIUS.
The bullet list mentions other possibilities at the attached link:

https://www.michaelwlucas.com/nonfiction/sudo-mastery

I've got more O'Reilly, but Michael Lucas is an enjoyable tech read. I
have a few of his books on my shelf. Always manage to have a laugh when
reading his stuff.



-- 
#######################################################
#  Noel Leistad, CISSP                                #
#  noel at metc.net                                      #
#                                                     #
#######################################################


Homer:    Hey, Burns!  Eat my shorts!

Burns:    Who the Sam Hill was that?

           One Fish, Two Fish, Blowfish, Blue Fish

More information about the OLUG mailing list