Accounting with pam_radius_auth
Hello, I found in the archive that pam_radius questions can be asked here so here is mine: I am using pam_radius_auth to authenticate and do some accounting against a freeradius+ldaps server (which works perfectly). Everything (authorization, authentication and accounting) work perfectly except accounting in some cases. Configuration uses pam_radius_auth 1.3.16. Here is an example pam configfile (/etc/pam.d/su): -- cut -- auth sufficient /lib/security/$ISA/pam_rootok.so auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_radius_auth.so try_first_pass debug auth required /lib/security/$ISA/pam_deny.so account sufficient /lib/security/pam_radius_auth.so debug account sufficient /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid<100 quiet account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authok md5 shadow password required /lib/security/$ISA/pam_deny.so #session required /lib/security/$ISA/pam_selinux.so close #session required /lib/security/$ISA/pam_limits.so session sufficient /lib/security/pam_radius_auth.so debug session sufficient /lib/security/$ISA/pam_unix.so #session sufficient /lib/security/$ISA/pam_selinux.so open multiple #session optional /lib/security/$ISA/pam_xauth.so -- cut -- In fact the main problem is if I su to an unprivileged user, no accounting packet is sent and output displays: su: pam_radius_auth: Could not open configuration file /etc/raddb/server: Permission denid If I su to root user, then accounting packet is correctly sent. I suppose that session part of pam runs as unprivilegied user and it can't open the /etc/raddb/server which is protected as advised in the documentation. I tried with and without commented lines in the session parts without success. Is this a common problem (I found nothing in the archive) or do I have a mistake in the pam configuration ? Regards, Christophe.
Christophe Boyanique wrote:
In fact the main problem is if I su to an unprivileged user, no accounting packet is sent and output displays:
su: pam_radius_auth: Could not open configuration file /etc/raddb/server: Permission denid
Yes. That file has to be readable by the user. This is a limitation of PAM, I think, where the pam_radius_auth module is run as the user.
I suppose that session part of pam runs as unprivilegied user and it can't open the /etc/raddb/server which is protected as advised in the documentation.
Yes.
Is this a common problem (I found nothing in the archive) or do I have a mistake in the pam configuration ?
It's a problem. A solution (a bad one) is to "chmod a+r" the files. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok a écrit :
Yes. That file has to be readable by the user. This is a limitation of PAM, I think, where the pam_radius_auth module is run as the user.
This is what I thought but I wanted to have a confirmation about that to be sure.
It's a problem. A solution (a bad one) is to "chmod a+r" the files.
Ok I will deal with that. Thanks for your confirmation. Christophe.
participants (2)
-
Alan DeKok -
Christophe Boyanique