How to handle challenge response using PAM auth in FreeRadius
jdennis at redhat.com
Mon Mar 15 17:56:51 CET 2010
On 03/15/2010 12:16 PM, Rajendra Hegde wrote:
> I am developing a PAM module for radius server.
> The radius server is configured to use PAM auth.
> It reads /etc/pam.d/radiusd and loads it on receiving auth request.
> The PAM module talks to external Authentication server and sometimes
> gets back "Challenge Respose".
> How can this be returned back to radius server from pam_sm_authenticate
> from my PAM module ?
> Please note that this is different than what pam_radius_auth.c does.
> pam_radius_auth.c talks to radius directly via network
> where as my module directly gets loaded by Radius.
> Why should not there be a way to return "Challenge Respose"
> from linux PAM back to it's loader ?
> Can this possible linux limitation be overcome by radius calling another
> exported function for
> PAM module covering all scenarios including "Challenge Response" ?
> Where should I look into in the freeradius codebase, if I were to
> add that functionality ?
> with best regards,
Your question is a bit muddled. I'm not sure if you asking how to
forward the challenge through RADIUS back to the client or if you're
just asking how to handle a pam "conversation" within your
authentication module. If it's the former, then the answer is you can't
do that in general. On the other hand if all you want to know is how to
handle a pam conversation the take a look at rlm_pam.c and see the
function PAM_conv and read the man page for pam_conv.
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
More information about the Freeradius-Users