Looks so much like http://www.freeradius.org/pam_radius_auth/
On Mon, Apr 21, 2008 at 5:06 PM, Darren J Moffat <darrenm at sac.sfbay.sun.com>
wrote:
>
> Template Version: @(#)sac_nextcase 1.66 04/17/08 SMI
> This information is Copyright 2008 Sun Microsystems
> 1. Introduction
> 1.1. Project/Component Working Name:
> RADIUS PAM module (pam_radius_auth)
> 1.2. Name of Document Author/Supplier:
> Author: Darren Moffat
> 1.3 Date of This Document:
> 21 April, 2008
> 4. Technical Description
>
> Proposal
> --------
> This project provides a PAM module for RADIUS authentication.
> The module is not added to the default pam.conf on Solaris.
> Configuration is the /etc/raddb/server file.
> Multiple RADIUS servers are supported with different shared secrets
> ports and timeouts for each one.
>
> The /etc/raddb/server file contains an unencrypted shared secret with
> the RADIUS server and must be installed as readable only by root.
> A sample configuration file is in the materials directory. The config
> file will be installed as an editable file with the default content
> all commented out.
>
> Implementation Notes
> --------------------
> The module only supports the auth stack. pam_sm_setcred(3PAM) returns
> the same value as pam_sm_authenticate(3PAM) returned or PAM_SUCCESS
> if pam_sm_setcred(3PAM) was called without pam_sm_authenticate(3PAM).
> This isn't ideal as pam_sm_setcred(3PAM) should probably always return
> PAM_IGNORE - comments in the code indicate that the upstream project
> team is aware of this but wants "best compatibility" across all
> PAM implementations.
>
> Documentation
> -------------
> The upstream source does not provide man page documentation. The
> documentation that is provided upstream is included in this proposal
> below the interface tables. The project team will work with the Sun
> man page team to turn this into a man page format, and will also
> contribute
> the resulting man page back upstream. The man page ship in Solaris will
> contain the ATTRIBUTES and other standard Sun man page sections. The
> above mentioned pam_sm_setcred issue will also be documented.
>
> Release Binding: patch
>
> +------- Exported Interfaces
> ----------------------------------------------+
> | Interface | Taxonomy | Comment
> |
>
> +--------------------------------------------------------------------------+
> | SUNWfreeradius-pam | UnCommitted | Package
> |
> | /usr/lib/security/$ISA/pam_radius_auth.so.1 | Committed |
> |
> | SUNWfreeradius-pam-root | UnCommitted | Package
> |
> | /etc/raddb/server | Committed | Format
> |
> | | | & Location
> |
>
> +--------------------------------------------------------------------------+
>
> +------- Imported Interfaces
> ----------------------------------------------+
> | Interface | Taxonomy | Comment
> |
>
> +--------------------------------------------------------------------------+
> | libmd(3lib) MD5{Init,Update,Final} | Committed |
> |
>
> +--------------------------------------------------------------------------+
>
> --- Upstream Documentation ---
>
> The module takes a number of configuration options. Password changing
> is not implemented, as the RADIUS protocol does not support it.
>
> The pam configuration can be:
> ...
> auth sufficient /lib/security/pam_radius_auth.so [options]
> ...
> account sufficient /lib/security/pam_radius_auth.so
>
>
> ---------------------------------------------------------------------------
>
> The 'options' section is optional, and can contain one or more of
> the following strings. Note that not all of these options are
> relevant in for all uses of the module.
>
> debug - print out extensive debugging information via pam_log.
> These messages generally end up being handled by
> sylog(), and go to /var/log/messages. Depending on
> your host operating system, the log messages may be
> elsewhere.
> You should generally use the debug option when first
> trying to install the module, as it will help
> enormously in tracking down problems.
>
> use_first_pass - Instead of prompting the user for a password, retrieve
> the password from the previous authentication module.
> If the password does not exist, return failure.
> If the password exists, try it, returning success/failure
> as appropriate.
>
> try_first_pass - Instead of prompting the user for a password, retrieve
> the password from the previous authentication module.
> If the password exists, try it, and return success if it
> passes.
> If there was no previous password, or the previous
> password
> fails authentication, prompt the user with
> "Enter RADIUS password: ", and ask for another password.
> Try this password, and return success/failure as
> appropriate.
>
> This is the default for authentication.
>
> skip_passwd - Do not prompt for a password, even if there was none
> retrieved from the previous layer.
> Send the previous one (if it exists), or else send a NULL
> password.
> If this fails, exit.
> If an Access-Challenge is returned, display the challenge
> message, and ask the user for the response.
> Return success/failure as appropriate.
>
> The password sent to the next authentication module will
> NOT be the response to the challenge. If a password from
> a previous authentication module exists, it is passed on.
> Otherwise, no password is sent to the next module.
>
> conf=foo - set the configuration filename to 'foo'.
> Default is /etc/raddb/server
>
> client_id=bar - send a NAS-Identifier RADIUS attribute with string
> 'bar'. If the client_id is not specified, the PAM_SERVICE
> type is used instead. ('login', 'su', 'passwd', etc.)
> This feature may be disabled by using 'client_id='.
> i.e. A blank client ID.
>
> retry = # - allow a number of retries before continuing to the next
> authentication module
>
> use_authtok - force the use of a previously entered password.
> This is needed for pluggable password strength checking
> i.e. try cracklib to be sure it's secure, then go update
> the RADIUS server.
>
> ruser - If PAM_USER is root, Use the value of PAM_RUSER instead
> of PAM_USER to determine the username to authenticate via
> RADIUS. This is to allow 'su' to act like 'sudo'.
>
> localifdown - This option tells pam_radius to return PAM_IGNORE instead
> of PAM_AUTHINFO_UNAVAIL if RADIUS auth failed due to
> network unavailability. PAM_IGNORE tells the pam stack
> to continue down the stack regardless of the control flag.
>
> accounting_bug - When used, the accounting response vector is NOT
> validated. This option will probably only be necessary
> on REALLY OLD (i.e. Livingston 1.16) servers.
>
>
> ---------------------------------------------------------------------------
>
>
>
> 6. Resources and Schedule
> 6.4. Steering Committee requested information
> 6.4.1. Consolidation C-team Name:
> ON
> 6.5. ARC review type: FastTrack
> 6.6. ARC Exposure: open
>
> _______________________________________________
> security-discuss mailing list
> security-discuss at opensolaris.org
>
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/opensolaris-arc/attachments/20080421/68218ead/attachment.html>
