LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Centralized SSH Auth Server? (https://www.linuxquestions.org/questions/linux-server-73/centralized-ssh-auth-server-630795/)

dumbsheep 03-26-2008 10:26 AM

Centralized SSH Auth Server?
 
All,

Hello. I work for a company that currently has customers that we ssh to in order to do upgrades or troubleshoot issues on remotely. However, we all use the same account which we want to get away from. So here's my question:

Is there some sort of server that I can install that will allow us to keep track of the exact users that are sshing to our customer's? Kind of like Cisco's Access Control Server.

Let me give a brief scenario. Let's say we have 20 employees that assist customers. We want them to be able to ssh to a device that will log their username and IP of location of where they are going. This includes length of time at that location and so on so when a change is made at a customer's site we can say so and so was on their site at that time.

Hopefully I am being clear. Thanks for the help in advance.

/dumpsheep

acid_kewpie 03-26-2008 10:28 AM

well use acs if you like it, should work just fine. you can hook up radius access via pam for ssh or any other user authentication if you so wish. if you want a linux based radius rather than acs, try freeradius.

dumbsheep 03-26-2008 10:31 AM

Thanks. I was under the impression that Cisco ACS only works for Cisco devices. We are sshing to Linux boxes. I have a freeRadius box already up and running didn't think that would do the job that a true ACS box would. Kind of hoping to have a all in one box that is self contained so we can add specific users and have permission control. Maybe this doesn't exist yet? Thanks again.

/dumpsheep

acid_kewpie 03-26-2008 10:32 AM

http://www.wikidsystems.com/document...wtos/pamradius

wikid is, on the outside, just another radius server from the perspective of the configuration process.

note also you could use lots of other protocols, ldap might be the best for you really, as that would provide the user base and the interface in one, whereas radius either needs a user base source behind it or more manual hardcoding.

dumbsheep 03-26-2008 10:34 AM

Awesome. Thanks for the link. I'll take a look.

acid_kewpie 03-26-2008 10:37 AM

freeradius is a radius server
acs is a radius server

be careful what you're calling "True" Cisco didn't invent RADIUS, they just provide one of a hundred different RADIUS services.

dumbsheep 03-26-2008 10:42 AM

Understood. But Cisco ACS isn't "just" a radius box. FreeRadius is just a dumb radius box that you can build around. Like I said, I have a freeRadius box running here and it's flawless for what it does. Speaking of Cisco, you should see the ports they are using for Radius on their ASA's now (1645 for auth and 1646 for acct). Last I knew the RFC still said 1812 for auth and 1813 for acct. You have to manually change the aaa setting to make it 1812 and 1813. Maybe that's changed as well?

acid_kewpie 03-26-2008 10:45 AM

1645/6 s radius, 1812/3 is radius2, which was changed because there was a port clash with some other protocols using 1645 already

dumbsheep 03-26-2008 10:46 AM

Oh, so you're saying 1645 and 1646 were the standard. Interesting. I never knew that.

nickowen 03-26-2008 12:28 PM

Dumbsheep:

This sounds somewhat like a howto I wrote about setting up an SSH gateway server. The basic idea was that you open one SSH box up on the firewall and use that box to get to the others. You could then mix and match authentications - requiring two-factor for the gateway and allowing keys from the gateway to the target boxes.

http://www.howtoforge.com/secure_ssh...authentication

The article talks about two-factor authentication, which may or may not be warranted. If not, just ignore it...

hth,

Nick

dumbsheep 03-26-2008 12:33 PM

Nick,

Thank you. I'll take a look at this.

/dumbsheep

sunjith 06-18-2009 02:10 AM

Quote:

Originally Posted by dumbsheep (Post 3101087)
All,

Hello. I work for a company that currently has customers that we ssh to in order to do upgrades or troubleshoot issues on remotely. However, we all use the same account which we want to get away from. So here's my question:

Is there some sort of server that I can install that will allow us to keep track of the exact users that are sshing to our customer's? Kind of like Cisco's Access Control Server.

Let me give a brief scenario. Let's say we have 20 employees that assist customers. We want them to be able to ssh to a device that will log their username and IP of location of where they are going. This includes length of time at that location and so on so when a change is made at a customer's site we can say so and so was on their site at that time.

Hopefully I am being clear. Thanks for the help in advance.

/dumpsheep

Check out ezeelogin software: www.ezeelogin.com

It has user access control to different servers, parallel shell, logging ssh sessions of each user, automated server password changes, rm -rf protection, and much more. Hope it will suit your needs for an ssh gateway server software.


All times are GMT -5. The time now is 09:29 AM.