PAM Module Patch and Feature
Frank Cusack
fcusack at fcusack.com
Thu Mar 22 02:02:17 CET 2007
David,
Awaiting your feedback. Maybe you didn't realize freeradius-devel
responses go to the list [only]. I'm cc'ing you just in case.
There might be a pref you can change in your subscription to have
replies go to you. Or just set reply-to.
-frank
On March 19, 2007 7:50:19 PM -0700 Frank Cusack <fcusack at fcusack.com> wrote:
> On March 15, 2007 2:40:42 PM -0600 David Mitchell <mitchell at ucar.edu>
> wrote:
>> Greetings,
>>
>> I am working on using FreeRadius with token authentication and ran into
>> a small snag. Under Linux, attempts to authenticate 'su' result in a
>> query to the Radius server for the user 'root'. What we would like to
>> happen is for the query to be for the requesting user. This is how the
>> 'sudo' application handles it's PAM requests.
>
> Interesting. Why don't you just use 'sudo' then? Having 'su' be distinct
> and accept the actual root password can be useful.
>
>> I of course do not want to change the default behavior of the module, so
>> I added an option. I named it 'ruser' since it works by causing the PAM
>> module to authenticate using the value of PAM_RUSER (requesting user).
>
> It actually stands for remote user.
>
> ...
>> I'm not sure who maintains the PAM portion of FreeRadius, so I'm
>> throwing this out for discussion. Does this seem like something which
>> could be included in the distribution?
>
> I don't see why not.
>
> I've cleaned up the patch, how does it look?
>
> You were stepping on PAM_RETRY, not really your fault, the code for
> that part is pretty ... awful. Otherwise, I just deferred looking for
> PAM_RUSER until it might actually be used. I'm happy to put it back
> the way you had it if you specifically wanted it that way for some reason.
>
> -frank
More information about the Freeradius-Devel
mailing list