Evan Huus wrote:
The problem is that pam_radius_auth (to the best of my knowledge) silently ignores any VSAs in the messages it receives. This makes sense from its perspective, since PAM is purely for authentication.
Yes. And PAM can't change user authorization or permissions. So I really have no idea why anyone uses PAM.
The best solution I've come up with has pam_radius_auth forwarding the Access-Accept messages to a configurable port on the local machine. Our daemon can then listen on that port and extract the data it needs. This solution is very ugly, and I'm hoping that there's a better way I'm just not aware of.
Any suggestions or information you can provide are very much appreciated.
If you can figure out how to get PAM to set UID/GID/shell/etc., I'd be happy. Alan DeKok.