<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>>Alan DeKok wrote:<BR>> > I am using sql authentication with mysql successfuly and<br>> > I want to add second authentication via bash. (if sql authentication<br>> > fail then check bash authentication)<br>> <br>> That's usually bad practice. An authentication reject is a reject.<br>> Trying *another* method is usually wrong. Instead, figure out which<br>> method is supposed to be used, and use that.<br><BR>I have separate databases; mysql, ldap and Microsoft SQL<BR>so I need multiple authentication.<BR>is multiple authentication possible in freeradius? if yes, how?<BR> <BR>> > I added file (bashauth) to module directory <br>> > <br>> > exec bashauth {<br>> > wait = yes<br>> > program = "/usr/local/bin/bash /bin/radcheck %{User-Name}<br>> > %{User-Password}"<br>> <br>> Huh? Why "/usr/local/bin/bash /bin/radcheck" ? Why not just run<br>> radcheck directly?<br>> <br>> And that exposes the password to anyone running "ps".<br><BR>I corrected.<BR>Server is single user system no another users exist.<BR> <BR>> <br>> Perhaps you could try setting Auth-Type := bashauth.<BR> <BR>Which section must I define this setting?<BR> <BR>I defined it in users file,<BR>DEFAULT Auth-Type := "bashauth"<BR>but it overrides mysql authentication.<BR> <BR> <BR> <BR>Best Regards,<BR> <BR>Ahmet Hakan<BR> <BR><div>> <br>> Ahmet Hakan wrote:<br>> > I am new at freeradius (2.1.4) <br>> <br>> I'd suggest upgrading, but whatever...<br>> <br>> > I am using sql authentication with mysql successfuly and<br>> > I want to add second authentication via bash. (if sql authentication<br>> > fail then check bash authentication)<br>> <br>> That's usually bad practice. An authentication reject is a reject.<br>> Trying *another* method is usually wrong. Instead, figure out which<br>> method is supposed to be used, and use that.<br>> <br>> Also, using the "exec" functionality will slow the server down.<br>> Especially under load.<br>> <br>> > I added file (bashauth) to module directory <br>> > <br>> > exec bashauth {<br>> > wait = yes<br>> > program = "/usr/local/bin/bash /bin/radcheck %{User-Name}<br>> > %{User-Password}"<br>> <br>> Huh? Why "/usr/local/bin/bash /bin/radcheck" ? Why not just run<br>> radcheck directly?<br>> <br>> And that exposes the password to anyone running "ps".<br>> <br>> > then I modified sites-enabled/default<br>> > <br>> > authorize {<br>> > ...<br>> > bashouth<br>> <br>> Why are you listing it in the "authorize" section?<br>> <br>> > but I cant authenticate user via bash script<br>> > <br>> > radiusd -X output is below.<br>> > <br>> > [bashauth] expand: %{User-Name} -> a<br>> > [bashauth] expand: %{User-Password} -> a<br>> > Exec-Program output:<br>> > Exec-Program: returned: 0<br>> > ++[bashauth] returns ok<br>> > [pap] WARNING! No "known good" password found for the user. <br>> > Authentication may fail because of this.<br>> > ++[pap] returns noop<br>> > No authenticate method (Auth-Type) configuration found for the request:<br>> > Rejecting the user<br>> > Failed to authenticate the user.<br>> <br>> The above message is fairly clear.<br>> <br>> Perhaps you could try setting Auth-Type := bashauth.<br>> <br>> Alan DeKok.<br>> -<br>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br></div> </div></body>
</html>