PAM Module Patch and Feature

David Mitchell mitchell at ucar.edu
Thu Mar 22 16:43:21 CET 2007 

On Mar 21, 2007, at 7:02 PM, Frank Cusack wrote:

> David,
>
> Awaiting your feedback.  Maybe you didn't realize freeradius-devel
> responses go to the list [only].  I'm cc'ing you just in case.
> There might be a pref you can change in your subscription to have
> replies go to you.  Or just set reply-to.

I just hadn't gotten around to replying yet. I think it looks good.  
Stomping on the retry value was an accident on my part. Maybe it  
could be made more explicit by including them in the bit value list?  
Then it would be more obvious that 128 is the next unused value?


#define PAM_DEBUG_ARG      1
#define PAM_SKIP_PASSWD    2
#define PAM_USE_FIRST_PASS 4
#define PAM_TRY_FIRST_PASS 8
#define PAM_RUSER_ARG     16
#define PAM_RETRY      32+64

-David Mitchell

>
> -frank
>
> On March 19, 2007 7:50:19 PM -0700 Frank Cusack  
> <fcusack at fcusack.com> wrote:
>> On March 15, 2007 2:40:42 PM -0600 David Mitchell <mitchell at ucar.edu>
>> wrote:
>>> Greetings,
>>>
>>> I am working on using FreeRadius with token authentication and  
>>> ran into
>>> a small snag. Under Linux, attempts to authenticate 'su' result in a
>>> query to the Radius server for the user 'root'. What we would  
>>> like to
>>> happen is for the query to be for the requesting user. This is  
>>> how the
>>> 'sudo' application handles it's PAM requests.
>>
>> Interesting.  Why don't you just use 'sudo' then?  Having 'su' be  
>> distinct
>> and accept the actual root password can be useful.
>>
>>> I of course do not want to change the default behavior of the  
>>> module, so
>>> I added an option. I named it 'ruser' since it works by causing  
>>> the PAM
>>> module to authenticate using the value of PAM_RUSER (requesting  
>>> user).
>>
>> It actually stands for remote user.
>>
>> ...
>>> I'm not sure who maintains the PAM portion of FreeRadius, so I'm
>>> throwing this out for discussion. Does this seem like something  
>>> which
>>> could be included in the distribution?
>>
>> I don't see why not.
>>
>> I've cleaned up the patch, how does it look?
>>
>> You were stepping on PAM_RETRY, not really your fault, the code for
>> that part is pretty ... awful.  Otherwise, I just deferred looking  
>> for
>> PAM_RUSER until it might actually be used.  I'm happy to put it back
>> the way you had it if you specifically wanted it that way for some  
>> reason.
>>
>> -frank
>
>
>
>

More information about the Freeradius-Devel mailing list