thanks frank, i think i've got it working with this config:
# more radiusd #%PAM-1.0 auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth # more system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient /lib/security/pam_unix.so likeauth nullok md5 shadow auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_unix.so account required /lib/security/pam_deny.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so ----- Original Message ----- From: "Frank Cusack" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, May 23, 2002 11:12 PM Subject: Re: radiusd allows users with any password > On Thu, May 23, 2002 at 08:48:41PM -0400, Aamer Akhter wrote: > > Frank, > > > > shouldn't it worry about the password? or am i missing something? > > freeradius does not care about the password, it passes on the password > to PAM. PAM is authenticating the user, freeradius is merely relaying > the response. Your PAM setup is allowing all users. > > What does your PAM config look like? Note that freeradius is using PAM > service name 'radiusd' (from the logs). If you don't have rules for that > service, PAM will use the rules for service 'other'. > > /fc > > > > > ----- Original Message ----- > > From: "Frank Cusack" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, May 23, 2002 8:35 PM > > Subject: Re: radiusd allows users with any password > > > > > > > Looks normal. Your PAM setup is authenticating the user. You can't have > > > multiple auth-types, so the PAM one is the only one being used. > > > > > > /fc > > > > > > On Thu, May 23, 2002 at 08:04:20PM -0400, Aamer Akhter wrote: > > > > Hello, > > > > > > > > I'm having a weird problem with the latest build from CVS. I admit that > > this > > > > problem may have been there for a while and i didn't know about it. > > > > > > > > so what's happening is that radiusd will send an Access-Acept as long as > > the > > > > user is valid (without regard for the password). So as long as I enter the > > > > right username, the password doens't seem to matter. > > > > > > > > Here is the debug output > > > > > > > > > > > > Thu May 23 10:25:53 2002 : Info: Ready to process requests. > > > > rad_recv: Access-Request packet from host 10.13.0.1:1645, id=75, length=78 > > > > NAS-IP-Address = 10.13.0.1 > > > > NAS-Port = 67 > > > > NAS-Port-Type = Virtual > > > > User-Name = "aakhter" > > > > Calling-Station-Id = "10.13.0.254" > > > > User-Password = "*\213\256X\365g\363>2\022\342\264\307"\272\205" > > > > Thu May 23 10:25:58 2002 : Debug: modcall: entering group authorize > > > > Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module > > "preprocess" > > > > returns ok > > > > Thu May 23 10:25:58 2002 : Debug: rlm_realm: Looking up realm NULL for > > > > User-Name = "aakhter" > > > > Thu May 23 10:25:58 2002 : Debug: rlm_realm: No such realm NULL > > > > Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module "suffix" > > > > returns noop > > > > Thu May 23 10:25:58 2002 : Debug: users: Matched DEFAULT at 13 > > > > Thu May 23 10:25:58 2002 : Debug: modcall[authorize]: module "files" > > returns > > > > ok > > > > Thu May 23 10:25:58 2002 : Debug: modcall: group authorize returns ok > > > > Thu May 23 10:25:58 2002 : Debug: rad_check_password: Found Auth-Type > > Pam > > > > Thu May 23 10:25:58 2002 : Debug: auth: type "Pam" > > > > Thu May 23 10:25:58 2002 : Debug: modcall: entering group authenticate > > > > Thu May 23 10:25:58 2002 : Debug: pam_pass: using pamauth string <radiusd> > > for > > > > pam.conf lookup > > > > Thu May 23 10:25:58 2002 : Debug: pam_pass: authentication succeeded for > > > > <aakhter> > > > > Thu May 23 10:25:58 2002 : Debug: modcall[authenticate]: module "pam" > > > > returns ok > > > > Thu May 23 10:25:58 2002 : Debug: modcall: group authenticate returns ok > > > > Sending Access-Accept of id 75 to 10.13.0.1:1645 > > > > Service-Type = Administrative-User > > > > Thu May 23 10:25:58 2002 : Debug: Finished request 0 > > > > Thu May 23 10:25:58 2002 : Debug: Going to the next request > > > > Thu May 23 10:25:58 2002 : Debug: --- Walking the entire request list --- > > > > Thu May 23 10:25:58 2002 : Debug: Waking up in 6 seconds... > > > > Thu May 23 10:26:04 2002 : Debug: --- Walking the entire request list --- > > > > Thu May 23 10:26:04 2002 : Debug: Cleaning up request 0 ID 75 with > > timestamp > > > > 3cecfbf6 > > > > Thu May 23 10:26:04 2002 : Debug: Nothing to do. Sleeping until we see a > > > > request. > > > > Thu May 23 10:26:24 2002 : Error: MASTER: exit on signal (2) > > > > > > > > and my config: > > > > [root@nsite-mpls-1 /root]# more /etc/raddb/users > > > > > > > > > > > > > > > > ## PAM handles both local /etc/passwd stuff and NIS stuff. > > > > ## Auth-Type needs to be on the same line as DEFAULT > > > > > > > > DEFAULT Auth-Type := Pam > > > > Service-Type = Shell-user, > > > > Fall-Through = YES > > > > > > > > > > > > smartbits Auth-Type := Local, Password == "xx" > > > > Service-Type == Login-user > > > > > > > > > > > > ## these are script passwords, so don't need to be easy to use > > > > cw2k Auth-Type := Local, Password == "xx" > > > > aakhter-script Auth-Type := Local, Password == "xx" > > > > rymcmaho-script Auth-Type := Local, Password == "xx" > > > > mbrown-script Auth-Type := Local, Password == "xx" > > > > jguy-script Auth-Type := Local, Password == "xx" > > > > rajiva-script Auth-Type := Local, Password == "xx" > > > > asharma-script Auth-Type := Local, Password == "xx" > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
