Adding Access-Challenge support for rlm_pam

Kenny Root kenny at the-b.org
Wed Sep 19 09:05:07 CEST 2012


I wanted to use google-authenticator's PAM module on my FreeRADIUS server.
It seemed to work fine with authentication from Apache, but also making
that work with PAM was problematic. I probably could have hacked around it
to make it work like I wanted, but I'd rather have my familiar
"Verification code: " prompt from google-authenticator.

Instead I've worked a bit to enable Access-Challenge support in rlm_pam.
This is done in terms of PAM_CONV_AGAIN which allows rlm_pam to send
Access-Challenge and keep state in a structure similar to how rlm_securid
works.

This is the first time I've looked at the source code for FreeRADIUS, so
I'd welcome any review of my code as it currently stands. It doesn't
currently behave like the existing rlm_pam. For instance, it doesn't try to
submit the first password it sees as the reponse to the first pam_conv
message. However, I should be able to fix that soon.

The initial commit is here:
https://github.com/kruton/freeradius-server/commit/0df7c053e1a10a49a5e9af130ffff110714e2733

Thanks,
Kenny Root
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20120919/7f025d8d/attachment-0001.html>


More information about the Freeradius-Devel mailing list