On Tue, 6 Oct 2009, John Dennis wrote:
On 10/06/2009 01:56 PM, James Smallacombe wrote:
Has anyone had any luck getting FreeRadius to recognise expired Linux
system passwords as defined in /etc/login.defs ? sshd and imapd honors
it, but FreeRadius does not. It appears enabled by default...is there
anything else that needs to be done on the FreeRadius server config? On
the NAS?
yes, the distinction between rlm_unix and rlm_pam
rlm_unix bypasses the entire login mechanism and directly reads the shadow
file, not only is this a security hazard but because it bypasses all the
login checking you lose another layer of security as you've discovered.
Thanks for your response...I had discarded the notion of using pam for
this because of this warning in the radiusd.conf:
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
However, I did just try using this:
Auth-Type = Pam
For a test user, and got this in debug:
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = PAM
WARNING: Unknown value specified for Auth-Type. Cannot perform
requested action.
Failed to authenticate the user.
The module appears enabled in raddb/radiusd.conf and I did put the
recommended entries into /etc/pam.d/radiusd.
Is there something else?
Thanks again!
James Smallacombe PlantageNet, Inc. CEO and Janitor
[email protected] http://3.am
=========================================================================
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
