excluding users from being processed by pam_radius_auth.so ?
jcolten at umn.edu
Mon Oct 15 20:38:46 CEST 2007
What do folks think of this feature idea?
We use a Two Factor Authentication product that provides a PAM agent.
The PAM agent supports an option "xusers=/filename/" where /filename
/names a file containing a list of userids which are excluded from being
authenticated by the agent. Here would be an example pam.conf stack for
authenticating ftp using this feature (Solaris 10's PAM):
# for FTP
ftp auth binding pam_safeword.so.1
ftp auth requisite pam_authtok_get.so.1
ftp auth required pam_dhkeys.so.1
ftp auth required pam_unix_cred.so.1
ftp auth required pam_unix_auth.so.1
Excluded users fall thru to get authenticated in the same manner they
would be if we weren't using the two factor auth product.
There is no Solaris 8 version of the pam_safeword.so.1 module used
above, so we'd like to use pam_radius_auth.so .... but have a strong
need for that xusers= option or something that'll accomplish the same
However, we have few C development skills in our shop and those we have
are rusty. And then there's the problem that we aren't very familiar
with PAM internals!
Does the community see value in this enhancement? Anyone interested in
working on it? Or is it already there and I haven't found it in the doc?
More information about the Freeradius-Devel