PAM Module Patch and Feature

Frank Cusack fcusack at
Thu Mar 22 02:02:17 CET 2007


Awaiting your feedback.  Maybe you didn't realize freeradius-devel
responses go to the list [only].  I'm cc'ing you just in case.
There might be a pref you can change in your subscription to have
replies go to you.  Or just set reply-to.


On March 19, 2007 7:50:19 PM -0700 Frank Cusack <fcusack at> wrote:
> On March 15, 2007 2:40:42 PM -0600 David Mitchell <mitchell at>
> wrote:
>> Greetings,
>> I am working on using FreeRadius with token authentication and ran into
>> a small snag. Under Linux, attempts to authenticate 'su' result in a
>> query to the Radius server for the user 'root'. What we would like to
>> happen is for the query to be for the requesting user. This is how the
>> 'sudo' application handles it's PAM requests.
> Interesting.  Why don't you just use 'sudo' then?  Having 'su' be distinct
> and accept the actual root password can be useful.
>> I of course do not want to change the default behavior of the module, so
>> I added an option. I named it 'ruser' since it works by causing the PAM
>> module to authenticate using the value of PAM_RUSER (requesting user).
> It actually stands for remote user.
> ...
>> I'm not sure who maintains the PAM portion of FreeRadius, so I'm
>> throwing this out for discussion. Does this seem like something which
>> could be included in the distribution?
> I don't see why not.
> I've cleaned up the patch, how does it look?
> You were stepping on PAM_RETRY, not really your fault, the code for
> that part is pretty ... awful.  Otherwise, I just deferred looking for
> PAM_RUSER until it might actually be used.  I'm happy to put it back
> the way you had it if you specifically wanted it that way for some reason.
> -frank

More information about the Freeradius-Devel mailing list