Authorization with Client PAM Library

Alan DeKok aland at
Wed Oct 12 17:18:02 CEST 2011

Evan Huus wrote:
> The problem is that pam_radius_auth (to the best of my knowledge)
> silently ignores any VSAs in the messages it receives. This makes
> sense from its perspective, since PAM is purely for authentication.

  Yes.  And PAM can't change user authorization or permissions.  So I
really have no idea why anyone uses PAM.

> The best solution I've come up with has pam_radius_auth forwarding the
> Access-Accept messages to a configurable port on the local machine.
> Our daemon can then listen on that port and extract the data it needs.
> This solution is very ugly, and I'm hoping that there's a better way
> I'm just not aware of.
> Any suggestions or information you can provide are very much appreciated.

  If you can figure out how to get PAM to set UID/GID/shell/etc., I'd be

  Alan DeKok.

More information about the Freeradius-Users mailing list