At my workplace, we're running freeradius on a Ubuntu server to authenticate our Cisco equipment (which works great.) We're now trying to use the same server to authenticate our other Linux servers as well, so that we can use the radius server as a centralized user repository and log access attempts.
I have a test server which is setup as a radius client. In other words: client SSH's to test server, which sends a radius authentication request to the radius server, which sends approval, and the client logs on to the test server.
The problem has to do with passwords: this only works if there is a local user account on the test server with the
same password as exists on the radius server.
What I want to do here is have it set up so that if the radius server approves the connection, the user is logged in on the target system, even if the passwords don't match.
The references I've found online suggest having the local user account setup with a blank password, but I manually edited /etc/shadow and deleted the (encrypted) password for a test user and it didn't make a difference.
/etc/pam.d/sshd contains:
Code:
auth required pam_radius_auth.so
auth required pam_env.so
I haven't changed anything in /etc/pam.d/
To sum up: does anyone know how to set it up so that any user approved by radius to complete the ssh session can log in, regardless of the local user password?
Any suggestions are most appreciated! TIA.