Re: using radius user file to deny access

Jeff Vian (jvian@computer-services.com)
Mon, 16 Dec 1996 10:04:00 -0600

Linux has an option of defining the shell as "NOLOGIN" (configured in
/etc/login.defs when running shadow). With this shell entry they cannot
login via telnet or radius, but can use pop for email.
This is a feature, not a hack.

See the info on shadow for details.

At 11:02 AM 11/8/96 +1000, Terry Manderson wrote:
>At 02:45 PM 11/7/96 -0500, John Driscoll wrote:
>>Hi all;
>>
>>We're running radius on a linux server (runs great - please no flames!).
>>Presently we're using the default 'UNIX' user to have radius authenticate
>>against the /etc/passwd file. Is there a clever way to add someone to the
>>radius USER file such that they would be denied dial-up PPP access thru the
>>PM but still have a valid userid/password in /etc/passwd? I'd like to have
>>it so that if they tried to dial in they would get some sort of 'access
>>denied' message.
>>
>
>If you still wish to keep the default entry in the users file, but still
>want some people in your /etc/passwd to be denied access. I'd grab a version
>of radiusd that supports shell checking.
>
>so that if the person you want to deny access via radius has a shell that
>is NOT in /etc/shells they are given the NAK :-)
>
>so basically cp /bin/bash /bin/norad
>chmod 755 /bin/norad etc etc
>don't put /bin/norad in /etc/shells
>change the users shell (who is not to have radius access) to /bin/norad
>
>and bingo.. they get the denied message.
>to give them access is just a matter of changing their shell.. :-)
>
>It is a hack.. but thems the breaks :-0
>
>Terry
>--
>____________________________________________________________________
>Terry Manderson PO Box 3220, SBBC 4101 Phone +61 7 3259 6259
>System Administrator QLD, AUSTRALIA Fax +61 7 3255 0555
>Pegasus Networks http://www.peg.apc.org terrym@peg.apc.org
>
>