LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-26-2008, 10:26 AM   #1
dumbsheep
Member
 
Registered: Jan 2005
Location: USA
Distribution: Red Hat, CentOS, Fedora, Suse
Posts: 54

Rep: Reputation: 15
Question Centralized SSH Auth Server?


All,

Hello. I work for a company that currently has customers that we ssh to in order to do upgrades or troubleshoot issues on remotely. However, we all use the same account which we want to get away from. So here's my question:

Is there some sort of server that I can install that will allow us to keep track of the exact users that are sshing to our customer's? Kind of like Cisco's Access Control Server.

Let me give a brief scenario. Let's say we have 20 employees that assist customers. We want them to be able to ssh to a device that will log their username and IP of location of where they are going. This includes length of time at that location and so on so when a change is made at a customer's site we can say so and so was on their site at that time.

Hopefully I am being clear. Thanks for the help in advance.

/dumpsheep
 
Old 03-26-2008, 10:28 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
well use acs if you like it, should work just fine. you can hook up radius access via pam for ssh or any other user authentication if you so wish. if you want a linux based radius rather than acs, try freeradius.
 
Old 03-26-2008, 10:31 AM   #3
dumbsheep
Member
 
Registered: Jan 2005
Location: USA
Distribution: Red Hat, CentOS, Fedora, Suse
Posts: 54

Original Poster
Rep: Reputation: 15
Thanks. I was under the impression that Cisco ACS only works for Cisco devices. We are sshing to Linux boxes. I have a freeRadius box already up and running didn't think that would do the job that a true ACS box would. Kind of hoping to have a all in one box that is self contained so we can add specific users and have permission control. Maybe this doesn't exist yet? Thanks again.

/dumpsheep
 
Old 03-26-2008, 10:32 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
http://www.wikidsystems.com/document...wtos/pamradius

wikid is, on the outside, just another radius server from the perspective of the configuration process.

note also you could use lots of other protocols, ldap might be the best for you really, as that would provide the user base and the interface in one, whereas radius either needs a user base source behind it or more manual hardcoding.
 
Old 03-26-2008, 10:34 AM   #5
dumbsheep
Member
 
Registered: Jan 2005
Location: USA
Distribution: Red Hat, CentOS, Fedora, Suse
Posts: 54

Original Poster
Rep: Reputation: 15
Awesome. Thanks for the link. I'll take a look.
 
Old 03-26-2008, 10:37 AM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
freeradius is a radius server
acs is a radius server

be careful what you're calling "True" Cisco didn't invent RADIUS, they just provide one of a hundred different RADIUS services.
 
Old 03-26-2008, 10:42 AM   #7
dumbsheep
Member
 
Registered: Jan 2005
Location: USA
Distribution: Red Hat, CentOS, Fedora, Suse
Posts: 54

Original Poster
Rep: Reputation: 15
Understood. But Cisco ACS isn't "just" a radius box. FreeRadius is just a dumb radius box that you can build around. Like I said, I have a freeRadius box running here and it's flawless for what it does. Speaking of Cisco, you should see the ports they are using for Radius on their ASA's now (1645 for auth and 1646 for acct). Last I knew the RFC still said 1812 for auth and 1813 for acct. You have to manually change the aaa setting to make it 1812 and 1813. Maybe that's changed as well?
 
Old 03-26-2008, 10:45 AM   #8
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,378

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
1645/6 s radius, 1812/3 is radius2, which was changed because there was a port clash with some other protocols using 1645 already

Last edited by acid_kewpie; 03-26-2008 at 10:46 AM.
 
Old 03-26-2008, 10:46 AM   #9
dumbsheep
Member
 
Registered: Jan 2005
Location: USA
Distribution: Red Hat, CentOS, Fedora, Suse
Posts: 54

Original Poster
Rep: Reputation: 15
Oh, so you're saying 1645 and 1646 were the standard. Interesting. I never knew that.
 
Old 03-26-2008, 12:28 PM   #10
nickowen
LQ Newbie
 
Registered: Mar 2008
Posts: 18

Rep: Reputation: 0
Dumbsheep:

This sounds somewhat like a howto I wrote about setting up an SSH gateway server. The basic idea was that you open one SSH box up on the firewall and use that box to get to the others. You could then mix and match authentications - requiring two-factor for the gateway and allowing keys from the gateway to the target boxes.

http://www.howtoforge.com/secure_ssh...authentication

The article talks about two-factor authentication, which may or may not be warranted. If not, just ignore it...

hth,

Nick
 
Old 03-26-2008, 12:33 PM   #11
dumbsheep
Member
 
Registered: Jan 2005
Location: USA
Distribution: Red Hat, CentOS, Fedora, Suse
Posts: 54

Original Poster
Rep: Reputation: 15
Nick,

Thank you. I'll take a look at this.

/dumbsheep
 
Old 06-18-2009, 02:10 AM   #12
sunjith
LQ Newbie
 
Registered: Jan 2009
Location: Kochi, India
Distribution: Fedora
Posts: 4

Rep: Reputation: 0
Quote:
Originally Posted by dumbsheep View Post
All,

Hello. I work for a company that currently has customers that we ssh to in order to do upgrades or troubleshoot issues on remotely. However, we all use the same account which we want to get away from. So here's my question:

Is there some sort of server that I can install that will allow us to keep track of the exact users that are sshing to our customer's? Kind of like Cisco's Access Control Server.

Let me give a brief scenario. Let's say we have 20 employees that assist customers. We want them to be able to ssh to a device that will log their username and IP of location of where they are going. This includes length of time at that location and so on so when a change is made at a customer's site we can say so and so was on their site at that time.

Hopefully I am being clear. Thanks for the help in advance.

/dumpsheep
Check out ezeelogin software: www.ezeelogin.com

It has user access control to different servers, parallel shell, logging ssh sessions of each user, automated server password changes, rm -rf protection, and much more. Hope it will suit your needs for an ssh gateway server software.
 
  


Reply

Tags
administration, auth, gateway, management, multiple, parallel, radius, server, shell, software, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
open-ssh vs. commercial ssh (tru64), public-key auth not possible? cf050 Linux - Networking 8 03-28-2012 11:15 AM
Centralized Looging Server rajaniyer123 Solaris / OpenSolaris 3 07-07-2007 11:28 AM
Centralized netdump server. datadisk10 Red Hat 1 10-25-2006 08:16 AM
Rsyncing between windows client and gentoo server, over ssh, using key for auth. Passive Linux - Networking 0 08-03-2005 11:05 AM
Centralized login server jpbarto Linux - Networking 2 07-03-2003 01:12 PM


All times are GMT -5. The time now is 12:55 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration