Thanks Eero and Alan, this is exactly the information I was looking for. I had a feeling that a new "feature" wasn't going to be necessary, thanks for the confirmation. On Wed, May 14, 2014 at 12:05 PM, Eero Volotinen <eero.volotinen@iki.fi>wrote:
this is pam related configuration..
take look of this example:
# Prevent the following 1 rule from applying to root auth [default=1 success=ignore] pam_succeed_if.so uid > 0 # Configure PAM to use RADIUS with possible to local fallback, only if radius/proxy server is down.. auth [success=done new_authtok_reqd=done ignore=ignore default=die] pam_radius_auth.so localifdown
2014-05-14 21:43 GMT+03:00 Bob Probert <bruisebrotherprobert@gmail.com>:
Hello all,
I'm developing PAM policy for a server in which my organization doesn't have control of the RADIUS infrastructure. This particular system is using the RADIUS PAM module only for authentication purposes -- an account must be present on the system in order for a login to be successful.
The users of this system must never have access to two accounts -- one we'll call 'system' the other is 'root'. The PAM configuration has 'PAM_RADIUS auth sufficient' prior to Unix auth. I'm concerned that if a RADIUS administrator adds an account for 'root' or 'system' in the RADIUS infrastructure, the user will then get unauthorized "root" or "system" access.
Has anyone on the list encountered a similar issue? After inspecting the RADIUS PAM module code, it appears that there aren't any hooks for disabling RADIUS auth for certain users. This appears to be a rather trivial feature to implement, if I add this functionality to the module, is there any interest in my patch? Any other ideas?
Thanks!
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html