User authentication; PAM or Radius? [closed]

Posted on

User authentication; PAM or Radius? [closed] – Managing your servers can streamline the performance of your team by allowing them to complete complex tasks faster. Plus, it can enable them to detect problems early on before they get out of hand and compromise your business. As a result, the risk of experiencing operational setbacks is drastically lower.

But the only way to make the most of your server management is to perform it correctly. And to help you do so, this article will share nine tips on improving your server management and fix some problem about linux, authentication, user-management, pam, radius.

At college I’m part of a group of students that keep a server infrastructure running for the students. Lately we’ve been having a lot of trouble with the servers, and we decided that it’s probably better to start from scratch and reinstall everything.

Currently we use PAM (libpam-mysql) for user authentication. Users need to be able to use their accounts to login over SSH, FTP, SMB (Samba), mail servers, our website, and maybe in future also ownCloud. Most of the user management happens through the website (PHP, MySQL), which is also where users can configure their hosting packages (including vhosts). All the servers are running Debian.

One of the newcomers pointed out to me that if we’re going to reinstall everything anyway, it’s probably better for us to use Radius in stead of PAM. I myself (being relatively new) am not experienced with either two, and Google proved to be surprisingly unhelpful when doing some research on the matter.

For our use case, but also in general, which would be more suited? Does one have any big advantages over the other?

Thanks in advance.

Solution :

It would be very hard to use RADIUS without using PAM. PAM defines an API for accessing credentials providers (and other session related stuff) which can be the usual files, NIS, LDAP, RADIUS….

The bit you’re talking about changing is the credentials provider. There are places that PAM can’t go – and to handle these cases it might be worth looking at whether the credentials providers which are supported are also supported under PAM (and note that in some cases it’s possible to stack providers e.g. CAS on top of LDAP). Furthermore, PAM can use multipe credential providers.

You need to look at the estate for which you are trying to manage and identify what providers it could support, then think about how much effort is involved in configuring, coding and migrating.

(IME RADIUS never got much beyond authentication for network infrastructure – it’s probably still worth considering if you need to implement EAP)

Leave a Reply

Your email address will not be published. Required fields are marked *