Article delegate-en/4915 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4909@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Does Delegate support user-based access lists, with those users authenticated by a RADIUS server?
23 Sep 2010 22:20:51 GMT Vietnhi Phuvan <pcijqbdyi-hugik5qeg5xr.ml@ml.delegate.org>


I. I am attempting to make user groups work:

delegated -P1080 SERVER=socks AUTHORIZER=-pam/delegated OWNER="root" 
REMITTABLE="tcprelay/{80,443,22}" HOSTLIST="ConsServ1:10.10.80.100" 
HOSTLIST="ConsServ2:10.10.80.3" HOSTLIST="ConsServ3:10.10.80.5" 
USERLIST="Users:vphuvan@*" PERMIT="tcprelay:ConServ1:Users" -vd 
+=/etc/delegated.conf -r

vphuvan authenticates nicely according to the 1080 log but I am getting 
a no permission match error. Anything wrong with the syntax above?


II. Another issue:

delegated -P1080 SERVER=socks AUTHORIZER=-pam/delegated OWNER="root" 
REMITTABLE="tcprelay/{80,443,22}" HOSTLIST="ConsServ1:10.10.80.100" 
HOSTLIST="ConsServ2:10.10.80.3" HOSTLIST="ConsServ3:10.10.80.5" 
USERLIST="Users:vphuvan@*" PERMIT="tcprelay:.localnet:Users" -vd 
+=/etc/delegated.conf -r

I am wondering why the .localnet variable does not work - should I 
define it? I also tried 10.10.80.0/24 with the same lack of success. 
What is wrong with the syntax?


III. I promised you the procedure for implementing RADIUS authentication 
throuh PAM. Here it is:

"
The workaround is this: Delegate supports PAM. And there is such a thing 
as a pam_radius.so library.

How to get the pam_radius.so library: alternatives -

(1) Download rpm - 
http://www.rpmfind.net/linux/rpm2html/search.php?query=pam_radius_auth.so

Hopefully, EPEL (Extended Packages for Enterprise Linux)  are compatible 
with Centos 5 and the rpm works without a hitch. If not:

(2) Download pam_radius-1.3.17.tar.gz tarball
ftp://ftp.freeradius.org/pub/radius

Instructions on how to compile pam_radius_auth.so:
http://www.davidstclair.co.uk/Radius-Authentication-for-SSH-login-Centos5

Instructions on how to install pam_radius_auth.so:
http://www.rpmfind.net/linux/rpm2html/search.php?query=pam_radius_auth.so
"

Note that the creation of the pam_radius_auth.so library is a relatively 
recent development (circa 2008). My attiude is that since Delegate 
supports PAM authentication, any authentication that can go through PAM 
will work. It goes through PAM as long as there is a PAM library file 
for that authentication.


V.

Yutaka Sato wrote:
> In message <_A4908@delegate-en.ML_> on 09/16/10(07:55:26)
> you Vietnhi Phuvan <pcijqbdyi-hugik5qeg5xr.ml@ml.delegate.org> wrote:
>  |delegated -P1080 SERVER=socks AUTHORIZER=-pam OWNER="root" 
>  |REMITTABLE="tcprelay/80" REMITTABLE="tcprelay/22"  
>
> This must be one of followings:
> REMITTABLE="tcprelay/80" REMITTABLE="+,tcprelay/22"  
> REMITTABLE="tcprelay/80,tcprelay/22"  
> REMITTABLE="tcprelay/{80,22}"  
>
>  |HOSTLIST="ConsServ:/10.80.80.100" REJECT="tcprelay:\!ConsServ:user1"  
>
> A strange "/" in the second field of HOSTLIST disables this parameger.
>
>  |PERMIT="tcprelay:*:*" +=/etc/delegated.conf
>  |
>  |I am wondering why user1 is not being blocked from accessing 
>  |10.80.80.100. Do you see anything wrong with my syntax?
>
> A word in the field means a hostname, so a client host with name "user1"
> will be rejected.  To match with a username by AUTHORIZER, it must be
> username@hostname, thus maybe it should be "user1@*" in your case.
>
> Cheers,
> Yutaka
> --
>   9 9   Yutaka Sato, CSDP#005482 <y.sato@delegate.org> http://delegate.org/y.sato/
>  ( ~ )  National Institute of Advanced Industrial Science and Technology
> _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> Do the more with the less -- B. Fuller
>   


-- 
Vietnhi Phuvan
Senior Systems Engineer
SPECIAL APPLIED INTELLIGENCE
36-40 37th Street, Suite 201
Long Island City, NY 11101

800.511.9818 [Tauk*] x2000
718.576.1404 [fax]

 -> progress for hire <-
http://www.specialai.com/



  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V