Re: system authentication problem on freebsd

Mon, 18 Nov 2002 02:38:22 -0800 

I may be a bit off as I haven't done this, but here are some pointers.

On Monday, November 18, 2002, at 09:07  PM, Thomas Linden wrote:


Hi,

I have installed the freeradius demon on freebsd. It works
as long as I use cleartext passwords in the radius users
file.

If I use Auth-Type=System with users in /etc/(s)pwd.db then
it does not work. I commented out /etc/passwd and /etc/shadow
in radius.conf, so it uses the libc functions, which freebsd
provides.


Right.


The problem is, that it doesn't seem to verify the password
correctly. After looking around a while I found out, that
freeradius doesn't support md5-hashed passwords (btw - why?),
therefore I changed it in /etc/auth.conf to use DES, which
is used by crypt().


Firstly - FreeBSD's libcrypt handles autodetction of system crypts.
As long as the tested password is encrypted using the same salt
as the stored crypt, you'll be fine. If not, then bewm.


But still - it doesn't work. Once again I digged through the
source.
In the file src/modules/rlm_unix/rlm_unix.c I found in the
"#else" block after "#ifdef OSFC2" block there is the
following line, which requests the password using the systems
routines (line 505):

  encrypted_pass = pwd->pw_passwd;

I added the following line after it:

  radlog(L_AUTH, "rlm_unix: got: %s", encrypted_pass);

,re-compiled and run it. After trying to login I saw the
following output (using -X):

..
auth: type "System"
modcall: entering group authenticate
rlm_unix: got: *
rlm_unix: [tom2]: invalid password
..
Under FreeBSD, the getpwent manpage says this:

These routines have been written to ``shadow'' the password file, e.g.
allow only certain programs to have access to the encrypted password. If
the process which calls them has an effective uid of 0, the encrypted
password will be returned, otherwise, the password field of the returned
structure will point to the string `*'.

... and I bet you're not running radiusd as root. If you can coax the radius server to
run as root, just as a test, see what happens. If it still doesn't work I'll be quite surprised.





Adrian


- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to