Martin Richard wrote:
When starting radiusd -X (yes, I've looked at the output) and testing these 2 most simple accounts with radtest, the first one fails while the second one works. The difference being that there's a "mrichard" account on the box in /etc/passwd while "mrichard2" only exists in radiusd's config. Hence the output differences when calling "radtest thelogin qwerty localhost 666 testing123" (cut) :
As the debug log shows, it's using the Unix password for the user, rather than the password from the "users" file.
After a bit of searching I found a reference in the ML archives to $confdir/sites-enabled/default and saw "unix" in there with the description saying it caches the hashes from /etc/passwd and its accompanying shadow.
Not exactly. It looks up the user in /etc/passwd, and if found, adds the password as the "known good" password.
I've commented those lines and restarted the daemon. Now I get this in the PAP output for both users:
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Does the "files" module say that they were found in the "users" file?
I must be missing something rather obvious.. But how can I totally disable the lookup of OS accounts ?
Delete "unix" from raddb/sites-enabled/default, section "authorize" Alan DeKok.