On 10/06/2009 01:56 PM, James Smallacombe wrote:
Has anyone had any luck getting FreeRadius to recognise expired Linux
system passwords as defined in /etc/login.defs ? sshd and imapd honors
it, but FreeRadius does not. It appears enabled by default...is there
anything else that needs to be done on the FreeRadius server config? On
the NAS?
TIA,
On Wed, 30 Sep 2009, James Smallacombe wrote:
Hi:
We have a client running FreeRadius 2.1.6 on a Linux box
authenticating against shadow passwords. I've gone over the
radiusd.conf and it appears that the expire module is enabled by
default in the global config (there are no virtual servers here).
However, FreeRadius appears to be ignoring this attribute and
authenticating users with expired passwords anyway. I tried expiring
the account and that worked, but it would be much better to have it
respect expired passwords.
Is there something I missed?
yes, the distinction between rlm_unix and rlm_pam
rlm_unix bypasses the entire login mechanism and directly reads the
shadow file, not only is this a security hazard but because it bypasses
all the login checking you lose another layer of security as you've
discovered.
sshd and imapd work because they're properly configured to use pam.
--
John Dennis <[email protected]>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
