[olug] Using RADIUS roles for sudoers

[Christopher Cashell]

On Wed, Feb 4, 2015 at 10:20 AM, Damian Harouff <cekkent at gmail.com> wrote:

> I've recently encountered an existing system where the company already has
> a RADIUS server set up for authentication, including SSH and sudo, but they
> would like to also use the RADIUS roles to determine what commands can be
> executed via sudo.
>
> I know that sudo has the ability to use LDAP for this, but LDAP isn't
> available, and the company is not interested in an LDAP server.
>
> The Google did not turn up much. Anyone ever done this before?
>

​I've done sudo with LDAP, and I've done auth with RADIUS.  I've never done
sudo with RADIUS.  A little bit of poking around doesn't turn up much, and
previous experience with the two makes me think you'll have a lot of
challenges and limitations getting it to work.

Even if you could get it to work in a very limited form, you're going to
miss out on a lot of the available sudo functionality.

RADIUS is great for strict AAA, but LDAP has a level of flexibility that
goes way beyond that.  In order for sudo to properly map /etc/sudoers to
LDAP, an LDAP Schema​ was created.  sudo has special support written into
it to support LDAP.  Nothing like that exists for RADIUS.

I may be wrong, but I don't think you'll be able to get this to work.  PAM
is geared more around the Authentication aspect of AAA than it is the
Authorization.  And sudo only supports file (/etc/sudoers) and LDAP for
Authorization, as far as I know.

If the company in question has an Active Directory environment, recent AD
releases (Windows 2003R2 and later) have reasonable support for adding
custom schemas.  It is possible to store sudo information in an Active
Directory Server.

-- 
Christopher