pam_radius_auth configuration options

F. Soriano fsoriano.mailling at laposte.net
Sat Apr 25 00:09:18 CEST 2009 

Hi list,

I browsed quite a long time all previous threads and various material available on the web, with no success. So maybe someone can help wit this...

I am using the latest available release of FreeRADIUS on my Linux server (RHEL 5.3, x86_64), with authentication against local users file. This works like a charm so far. Authentication is set up in this order: pam_radius_auto.so, then pam_unix.so.

Is there a way to configure the pam_radius_auto.so module so that as long as the FreeRADIUS daemon is up and running, authentications will be *only* performed against FreeRADIUS, and all other authentication methods are ignored (even if this account exists locally, not in FreeRADIUS)? Of course, if FreeRADIUS is stopped or does not respond anymore, authentication against regular Linux files would work.

I am only looking to make it work for the login process (local ttys).

This is an example of my /etc/pam.d/login file:

--snip--
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth        [success=done new_authtok_reqd=done authinfo_unavail=ignore ignore=ignore default=die]    pam_radius_auth.so ruser debug
auth        required      pam_unix.so use_first_pass
#auth       include      system-auth

account    required     pam_nologin.so
#account    required   pam_radius_auth.so
#account    include      system-auth
--snip--

I also tried with the "localifdown" keyword:
--snip--
auth        [success=done new_authtok_reqd=done ignore=ignore default=die]    pam_radius_auth.so localifdown ruser debug
--snip--
without success...

Let's suppose I have a centralized account "remote-admin", and FreeRADIUS is the only one to know its password. Now I have another account, "local-admin", that is not declared within /etc/raddb/users file, but only in local /etc/passwd and /etc/shadow.

With the first example, when FreeRADIUS is up, I can log in as remote-admin, and the logs shows that pam_radius_auth got clearance from radiusd. I can also log in as "local-admin", no matter if radiusd is up or not (the logs show that radiusd failed to respond, but that pam_unix accepted the credentials and then granted login).

Thanks for your clues.
Regards,
Frank

 Créez votre adresse électronique prenom.nom at laposte.net 
 1 Go d'espace de stockage, anti-spam et anti-virus intégrés.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090425/61414e74/attachment.html>

More information about the Freeradius-Users mailing list