I just spent quite a while debugging a problem where Unix logins were
failing.  It turned out to be that /bin/pdksh wasn't in /etc/shells.  The
attached patch logs this failure to make it a lot easier to identify why
logins fail (I did finally learn to use ddd and gdb :-).

Actually I don't really care about the shell check since I'm running from a
private gdbm hashed password file generated on another machine, and the
program that generates this password file has already checked the real
/etc/shells file, and disabled the passwords for root and other
administrative accounts.  This requires a local copy of getpwnam which
bypasses the system routines.  I've been doing this on Merit radius for
several years, and now I have to see how this is going to interact with
freeradius and its group checking.

Bill
--
INTERNET:   [EMAIL PROTECTED]  Bill Campbell; Celestial Software LLC
UUCP:               camco!bill  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676
URL: http://www.celestial.com/

``People from East Germany have found the West so confusing. It's so much
easier when you have only one party.'' -- Linus Torvalde, Linux Expo Canada
when asked about confusion over many Linux distributions.
diff -uNr /usr/src/OpenLinux/BUILD/freeradius-0.3.orig/src/modules/rlm_unix/rlm_unix.c 
./src/modules/rlm_unix/rlm_unix.c
--- /usr/src/OpenLinux/BUILD/freeradius-0.3.orig/src/modules/rlm_unix/rlm_unix.c       
 Mon Oct  1 11:22:52 2001
+++ ./src/modules/rlm_unix/rlm_unix.c   Wed Oct 24 16:58:26 2001
@@ -415,8 +415,11 @@
                }
        }
        endusershell();
-       if (shell == NULL)
+       if (shell == NULL) {
+               radlog(L_AUTH, "rlm_unix: [%s]: invalid shell [%s]",
+                       name, pws->pw_shell);
                return RLM_MODULE_REJECT;
+       }
 #endif
 
 #if defined(HAVE_GETSPNAM) && !defined(M_UNIX)
@@ -461,9 +464,10 @@
         *      Check encrypted password.
         */
        encpw = crypt(passwd, encrypted_pass);
-       if (strcmp(encpw, encrypted_pass))
+       if (strcmp(encpw, encrypted_pass)) {
+               radlog(L_AUTH, "rlm_unix: [%s]: invalid password", name);
                return RLM_MODULE_REJECT;
-
+       }
        return RLM_MODULE_OK;
 #endif /* OSFSIA */
 #undef inst

Reply via email to