On 10/06/2009 01:56 PM, James Smallacombe wrote:
Has anyone had any luck getting FreeRadius to recognise expired Linux system passwords as defined in /etc/login.defs ? sshd and imapd honors it, but FreeRadius does not. It appears enabled by default...is there anything else that needs to be done on the FreeRadius server config? On the NAS?
TIA,
On Wed, 30 Sep 2009, James Smallacombe wrote:
Hi:
We have a client running FreeRadius 2.1.6 on a Linux box authenticating against shadow passwords. I've gone over the radiusd.conf and it appears that the expire module is enabled by default in the global config (there are no virtual servers here). However, FreeRadius appears to be ignoring this attribute and authenticating users with expired passwords anyway. I tried expiring the account and that worked, but it would be much better to have it respect expired passwords.
Is there something I missed?
yes, the distinction between rlm_unix and rlm_pam rlm_unix bypasses the entire login mechanism and directly reads the shadow file, not only is this a security hazard but because it bypasses all the login checking you lose another layer of security as you've discovered. sshd and imapd work because they're properly configured to use pam. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/