On 06/17/2016 06:43 AM, Alan DeKok wrote:
On Jun 17, 2016, at 9:29 AM, lejeczek via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
... ask of a radius server? To authenticate with a non-local, a remote ntlm/winbind ? Too much? Don't use PAM. It's intended for applications to do user authentication... once.
Maybe they've fixed it, but PAM used to leak memory like crazy when FreeRADIUS used it for repeated authentication.
And whatever PAM can do for authentication... FreeRADIUS can do better. And simpler. And more controlled.
PAM stands for "pluggable authentication modules". Well, FreeRADIUS is an authentication server. And FreeRADIUS has pluggable modules. And FreeRADIUS has "unlang', and a configuration which is infinitely more flexible than PAM.
The only reason to use PAM is when you need to use a proprietary authentication plugin that is only supplied via PAM. And even then, it's only good for PAP authentication.
PAM doesn't do CHAP, MS-CHAP, EAP, or any other authentication method.
Don't use PAM.
I think you were answering my thread, based on context. I'm not sold on PAM, just surprised and slightly frustrated at the fact that (as of my Googling thus far) there doesn't appear to be a Perl module capable of handling MS-CHAP authentication (on the NAS side - we're already using rlm_perl to good effect on the radius server). I've got winbind running over PAP from the wiki example, and that'll just have to do for now.