exec module bash script authentication

Alan DeKok aland at deployingradius.com
Sat Oct 19 15:44:12 CEST 2013


Ahmet Hakan wrote:
> I am new at freeradius (2.1.4) 

  I'd suggest upgrading, but whatever...

> I am using sql authentication with mysql successfuly and
> I want to add second authentication via bash. (if sql authentication
> fail then check bash authentication)

  That's usually bad practice.  An authentication reject is a reject.
Trying *another* method is usually wrong.  Instead, figure out which
method is supposed to be used, and use that.

  Also, using the "exec" functionality will slow the server down.
Especially under load.

> I added file (bashauth) to module directory  
>  
> exec bashauth {
>     wait = yes
>     program = "/usr/local/bin/bash /bin/radcheck %{User-Name}
> %{User-Password}"

  Huh?  Why "/usr/local/bin/bash /bin/radcheck"  ?  Why not just run
radcheck directly?

  And that exposes the password to anyone running "ps".

> then I modified sites-enabled/default
>  
> authorize {
> ...
> bashouth

  Why are you listing it in the "authorize" section?

> but I cant authenticate user via bash script
>  
> radiusd -X output is below.
>  
> [bashauth]      expand: %{User-Name} -> a
> [bashauth]      expand: %{User-Password} -> a
> Exec-Program output:
> Exec-Program: returned: 0
> ++[bashauth] returns ok
> [pap] WARNING! No "known good" password found for the user. 
> Authentication may fail because of this.
> ++[pap] returns noop
> No authenticate method (Auth-Type) configuration found for the request:
> Rejecting the user
> Failed to authenticate the user.

  The above message is fairly clear.

  Perhaps you could try setting Auth-Type := bashauth.

  Alan DeKok.


More information about the Freeradius-Users mailing list