On March 15, 2007 2:40:42 PM -0600 David Mitchell <mitchell@ucar.edu> wrote:
Greetings,
I am working on using FreeRadius with token authentication and ran into a small snag. Under Linux, attempts to authenticate 'su' result in a query to the Radius server for the user 'root'. What we would like to happen is for the query to be for the requesting user. This is how the 'sudo' application handles it's PAM requests.
Interesting. Why don't you just use 'sudo' then? Having 'su' be distinct and accept the actual root password can be useful.
I of course do not want to change the default behavior of the module, so I added an option. I named it 'ruser' since it works by causing the PAM module to authenticate using the value of PAM_RUSER (requesting user).
It actually stands for remote user. ...
I'm not sure who maintains the PAM portion of FreeRadius, so I'm throwing this out for discussion. Does this seem like something which could be included in the distribution?
I don't see why not. I've cleaned up the patch, how does it look? You were stepping on PAM_RETRY, not really your fault, the code for that part is pretty ... awful. Otherwise, I just deferred looking for PAM_RUSER until it might actually be used. I'm happy to put it back the way you had it if you specifically wanted it that way for some reason. -frank