PAM Module Patch and Feature

David Mitchell mitchell at
Thu Mar 15 21:40:42 CET 2007


I am working on using FreeRadius with token authentication and ran into
a small snag. Under Linux, attempts to authenticate 'su' result in a
query to the Radius server for the user 'root'. What we would like to
happen is for the query to be for the requesting user. This is how the
'sudo' application handles it's PAM requests.

I of course do not want to change the default behavior of the module, so
I added an option. I named it 'ruser' since it works by causing the PAM
module to authenticate using the value of PAM_RUSER (requesting user).
The 'su' application provides this value, so that's an easy place to
grab it from.

I expect that this patch may need more work. It doesn't do much sanity
checking on the values of PAM_RUSER. There may be applications which
don't fill it in properly. I haven't checked extensively. Also, I worked
from the Debian source version which includes a patch for CVE-2005-0108:

I'm not sure who maintains the PAM portion of FreeRadius, so I'm
throwing this out for discussion. Does this seem like something which
could be included in the distribution? Or should I plan on using a
locally patched version for the foreseeable future?
| David Mitchell (mitchell at       Network Engineer IV  |
| Tel: (303) 497-1845                      National Center for  |
| FAX: (303) 497-1818                      Atmospheric Research |
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pam-patch-v1.txt
URL: <>

More information about the Freeradius-Devel mailing list