Re: unix users and radius bootstrapping (fwd)

John Simpson (jms1@iag.net)
Tue, 25 Jun 1996 09:22:33 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Craig Brozefsky: "Re: unix users and radius bootstrapping (fwd)"
Previous message: MegaZone: "Acct-Terminate-Cause (fwd)"
In reply to: MegaZone: "unix users and radius bootstrapping (fwd)"
Next in thread: Craig Brozefsky: "Re: unix users and radius bootstrapping (fwd)"

On Mon, 24 Jun 1996, MegaZone wrote:

> Once upon a time Philip A. Fitzpatrick shaped the electrons to say...
> >I have a primary radius server which is using unix passwords, and I have a
> >secondary radius server which I would like to set up as a backup. Does
> >anyone have any suggestions for creating a user database on the secondary
> >radius server which reflects the users on the primary radius server?
>
> Put the same users in /etc/passwd on the second system, but give them bogus
> shells so they can't actually login there.

from the fact that you're using unix passwords for radius authentication, it
sounds like the primary radius server is running on the machine that the shell
accounts are on... if the secondary radius server is also using unix passwords
for radius, wouldn't the user have to change their password on both machines
in order to know for certain that their new password would be the one that the
radius server authenticates against? if the password change only affects the
primary server, and the primary server happens to be down when they try to log
in, the radius server on the secondary machine will be checking against an old
password, and the user won't get on.

one way around this would be to run nis or something that allows a shared
password database, and put a line like this (we don't run nis here so i'm not
100% sure of the syntax.)

+:::::/bin/false:

at the end of the secondary radius server's /etc/passwd file so that it will
recognize passwords from the nis server (also the shell machine) but if anyone
tries to telnet into the secondary machine (without an explicit entry for
their user id in the secondary's /etc/passwd file,) their shell becomes
/bin/false on that machine and they get dumped.

hope this helps.

-------------------------------------------------------------------------------
John Simpson, Software Engineering | The Internet Access Group, Inc.
http://www.depeche.mode.net/~jms1/ | PO Box 162625
Personal: <jms1@depeche.mode.net> | Altamonte Springs, FL 32716-2625
Business: <jms1@iag.net> | (407) 786-1145
-------------------------------------------------------------------------------

Next message: Craig Brozefsky: "Re: unix users and radius bootstrapping (fwd)"
Previous message: MegaZone: "Acct-Terminate-Cause (fwd)"
In reply to: MegaZone: "unix users and radius bootstrapping (fwd)"
Next in thread: Craig Brozefsky: "Re: unix users and radius bootstrapping (fwd)"