Article delegate-en/4900 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4899@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Does Delegate support user-based access lists, with those users authenticated by a RADIUS server?
11 Sep 2010 06:27:22 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


Hi,

In message <_A4899@delegate-en.ML_> on 09/11/10(12:12:09)
you Vietnhi Phuvan <pcijqbdyi-qjyh54jtbnxr.ml@ml.delegate.org> wrote:
 |I am trying to implement PAM authentication and authorization to access
 |ssh services on specific hosts: specifically, the Employees group should
 |have full access to the local network, while the Consultants group has
 |ssh access to host1 and host2. Both the Consultants and Employees groups
 |are defined in Active Directory and accessed through PAM authentication.
 |All services including ssh are accessed through socks.
 |
 |My tentative solution is
 |
 |AUTHORIZER="-pam/*:*:*" (PAM authentication applies to all services and
 |for access to all hosts)
 |
 |PERMIT="PERMIT="ssh:host1,host2:Consultants" (The Consultants group can
 |ssh into host1 and host2 through socks
 |
 |PERMIT="*:*:*" (Everybody else can access all services on all hosts
 |through socks)
 |
 |
 |Is my tentative solution correct or does it need modification?

If your solution is correct, you should see it working and I don't
have advices to make.

By the way, did you get a way to use RADIUS via PAM?  If so, the
description about what you did on which platform will helpful for
other readers or users of DeleGate.

The following is an example of a configuration of DeleGate
as a SOCKS proxy 1),
with proxy authentication/authorization by PAM 2),
with access permittion only for SSH servers 3),
with access restriction based on client hosts 4).

 ## 1) ################### a SOCKS proxy
 -P1080
 SERVER=socks

 ## 2) ################### adding auth. by PAM
 AUTHORIZER=-pam

 ## 3) ################### adding restriction on destination protocol/port
 REMITTABLE=tcprelay/22 ## allow destination port num. 22 only

 ## 4) ################### adding restriction on unreachable serv. for clients
 HOSTLIST=ConsServ:svhost1,svhost2   ## permitted servers for consultants
 HOSTLIST=ConsClnt:clhostA,clhostB   ## from which hosts consultants access
 REJECT=tcprelay:!ConsServ:ConsClnt  ## reject consul. access to 
 PERMIT=tcprelay:*:!ConsClnt

Note that in this case these 2),3),4) are orthogonal and independent from
others; all of them are optional and can be used with any combinations.
Also, in the SOCKS proxy, DeleGate does not care the kind of application
protocols relayed on it, and regards them just a "tcprelay".

Here is another way to restrict access (not by client hosts but) by user
names authenticated by AUTHORIZER, as follows.

 ## 4') ################## access restriction based on authenticated names
 HOSTLIST=ConsServ:svhost1,svhost2
 REJECT=tcprelay:!ConsServ:user1@*,user2@*  ## users authenticated by 2)
 PERMIT=tcprelay:*:*

Cheers,
Yutaka

 |Regards,
 |
 |
 |----- Original Message -----
 |From: "Yutaka Sato" <feedback@delegate.org>
 |To: feedback@delegate.org
 |Cc: "vietnhi phuvan" <pcijqbdyi-qjyh54jtbnxr.ml@ml.delegate.org>
 |Sent: Sunday, August 22, 2010 7:53:12 AM
 |Subject: Re: [DeleGate-En] Does Delegate support user-based access lists, with those users authenticated by a RADIUS
 |server?
 |
 |Hi,
 |
 |In message <_A4884@delegate-en.ML_> on 08/20/10(04:10:10)
 |you Vietnhi Phuvan <pcijqbdyi-qjyh54jtbnxr.ml@ml.delegate.org> wrote:
 ||My own review of the Delegate mailing list in addition to my own review
 ||of the Delegate manual lead me to the conclusion that Delegate does NOT
 ||support user-based access lists with those users authenticated by a
 ||RADIUS server as of 08/20/2010. Am I correct?
 ||
 ||If I am not correct, please tell me how to modify the AUTHORIZER
 ||statement to include RADIUS authentication (I assume that the AUTHORIZE
 ||statement is the one statement that need to be modified.
 |
 |DeleGate does not support RADIUS directly. I'm not sure but it
 |might be available via the PAM interface.
 |
 |AUTHORIZER=pam
 |
 |Cheers,
 |Yutaka
 |-- 9 9 Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 |( ~ ) National Institute of Advanced Industrial Science and Technology
 |_< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
 |Do the more with the less -- B. Fuller

Cheers,
Yutaka
--
  9 9   Yutaka Sato, CSDP#005482 http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V