We are using auth by pam to access krb5. So it needs to associate a unencrypted password to the username to query the krb server for a ticket. Should that work, and if not, what are my options?
Mike On Wed, 30 Oct 2002, Hugh Irvine wrote: > > Hello Mike - > > It depends on what format the stored passwords are that PAM is refering > to. > > If the passwords are encrypted, you cannot use CHAP. > > regards > > Hugh > > > On Wednesday, October 30, 2002, at 07:45 AM, Forbes Mike wrote: > > > > > I am testing chap authentication with Radiator. Currently I do the > > following: > > > > <Handler Realm=Backbone_Devices,Framed-Protocol=PPP> > > RewriteUsername s/^([^@]+).*/$1/ > > <AuthBy GROUP> > > <AuthBy PAM> > > Fork > > Service radiusd > > </AuthBy> > > </AuthBy> > > AuthLog DSL_PPP_Login_Failures > > # Log accounting to a detail file > > AcctLogFileName %L/dsl_ppp_users > > </Handler> > > > > This works for pap, but not for chap. Is this because CHAP is encytped > > and > > PAM needs the unecrypted? There is no note that says PAM cannot do > > chap. > > > > Thanks, > > > > Mike Forbes > > > > > > For chap I get the following output: > > > > > > > > Tue Oct 29 13:05:38 2002: DEBUG: Packet dump: > > *** Received from x.y.z.v port 1645 .... > > Code: Access-Request > > Identifier: 103 > > Authentic: A: > > Attributes: > > Framed-Protocol = PPP > > User-Name = "fred" > > CHAP-Password = ]b% > > NAS-Port = 1 > > NAS-Port-Type = Virtual > > Service-Type = Framed-User > > NAS-IP-Address = x.y.z.v > > > > Tue Oct 29 13:05:38 2002: DEBUG: Handling request with Handler > > 'Realm=Backbone_Devices,Framed-Protocol=PPP' > > Tue Oct 29 13:05:38 2002: DEBUG: Rewrote user name to fred > > Tue Oct 29 13:05:38 2002: DEBUG: Deleting session for fred, > > 128.138.82.198, 1 > > Tue Oct 29 13:05:38 2002: DEBUG: Handling with Radius::AuthGROUP > > Tue Oct 29 13:05:38 2002: DEBUG: Handling with PAM service radiusd > > Tue Oct 29 13:05:38 2002: DEBUG: PAM is asking for 1: 'Password' > > Tue Oct 29 13:05:38 2002: DEBUG: PAM is asking for 1: 'Password for > > [EMAIL PROTECTED]' > > Tue Oct 29 13:05:38 2002: DEBUG: PAM is asking for 1: 'Password for > > [EMAIL PROTECTED]' > > Tue Oct 29 13:05:38 2002: INFO: Access rejected for fred: > > Authentication failure: > > Tue Oct 29 13:05:38 2002: DEBUG: Packet dump: > > *** Sending to x.y.z.v port 1645 .... > > Code: Access-Reject > > Identifier: 103 > > Authentic: A: > > Attributes: > > Reply-Message = "Request Denied" > > > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > > > > > NB: I am travelling this week, so there may be delays in our > correspondence. > > -- > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, extensible, > flexible with hardware, software, platform and database independence. > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
