Expired unix system passwords
John Dennis
jdennis at redhat.com
Tue Oct 6 20:23:58 CEST 2009
On 10/06/2009 01:56 PM, James Smallacombe wrote:
>
> Has anyone had any luck getting FreeRadius to recognise expired Linux
> system passwords as defined in /etc/login.defs ? sshd and imapd honors
> it, but FreeRadius does not. It appears enabled by default...is there
> anything else that needs to be done on the FreeRadius server config? On
> the NAS?
>
> TIA,
>
> On Wed, 30 Sep 2009, James Smallacombe wrote:
>
>>
>> Hi:
>>
>> We have a client running FreeRadius 2.1.6 on a Linux box
>> authenticating against shadow passwords. I've gone over the
>> radiusd.conf and it appears that the expire module is enabled by
>> default in the global config (there are no virtual servers here).
>> However, FreeRadius appears to be ignoring this attribute and
>> authenticating users with expired passwords anyway. I tried expiring
>> the account and that worked, but it would be much better to have it
>> respect expired passwords.
>>
>> Is there something I missed?
yes, the distinction between rlm_unix and rlm_pam
rlm_unix bypasses the entire login mechanism and directly reads the
shadow file, not only is this a security hazard but because it bypasses
all the login checking you lose another layer of security as you've
discovered.
sshd and imapd work because they're properly configured to use pam.
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeradius-Users
mailing list