Removing local auth (freeradius server 2.1.9)

David Peterson davidp at wirelessconnections.net
Thu Jun 10 19:19:08 CEST 2010 

Someone will correct me if I am wrong, but I believe that is the "unix"
entry under sites-available/default.

 

David

 

From:
freeradius-users-bounces+david.peterson=acc-corp.net at lists.freeradius.org
[mailto:freeradius-users-bounces+david.peterson=acc-corp.net at lists.freeradiu
s.org] On Behalf Of Martin Richard
Sent: Thursday, June 10, 2010 11:32 AM
To: freeradius-users at lists.freeradius.org
Subject: Removing local auth (freeradius server 2.1.9)

 

Hello,

  I've tried the doc, the wiki, and the ML archives but I can't find an
answer to what must be a simple configuration thing.. I've compiled
freeradius server 2.1.9 and only added two simples lines to $confdir/user:

mrichard Cleartext-Password := "qwerty"
mrichard2 Cleartext-Password := "qwerty"

  When starting radiusd -X (yes, I've looked at the output) and testing
these 2 most simple accounts with radtest, the first one fails while the
second one works. The difference being that there's a "mrichard" account on
the box in /etc/passwd while "mrichard2" only exists in radiusd's config.
Hence the output differences when calling "radtest thelogin qwerty localhost
666 testing123" (cut) :

for mrichard:

+- entering group PAP {...}
[pap] login attempt with password "qwerty"
[pap] Using CRYPT encryption.
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject

for mrichard2:

+- entering group PAP {...}
[pap] login attempt with password "qwerty"
[pap] Using clear text password "qwerty"
[pap] User authenticated successfully
++[pap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 79 to 127.0.0.1 port 60023

  Of course, the first account works if I use the OS level password
associated with it.

  After a bit of searching I found a reference in the ML archives to
$confdir/sites-enabled/default and saw "unix" in there with the description
saying it caches the hashes from /etc/passwd and its accompanying shadow.
I've commented those lines and restarted the daemon. Now I get this in the
PAP output for both users:

[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
No authenticate method (Auth-Type) configuration found for the request:
Rejecting the user
Failed to authenticate the user.
Using Post-Auth-Type Reject


  I must be missing something rather obvious.. But how can I totally disable
the lookup of OS accounts ?

  Thanks

  Martin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100610/0e92f526/attachment.html>

More information about the Freeradius-Users mailing list