excluding users from being processed by pam_radius_auth.so ?

Jim Colten jcolten at umn.edu
Mon Oct 15 20:38:46 CEST 2007

What do folks think of this feature idea?

We use a Two Factor Authentication product that provides a PAM agent.  
The PAM agent supports an option "xusers=/filename/" where /filename 
/names a file containing a list of userids which are excluded from being 
authenticated by the agent.  Here would be an example pam.conf stack for 
authenticating ftp using this feature (Solaris 10's PAM):

    # for FTP
    ftp     auth binding             pam_safeword.so.1
    ftp     auth requisite           pam_authtok_get.so.1
    ftp     auth required           pam_dhkeys.so.1
    ftp     auth required           pam_unix_cred.so.1
    ftp     auth required           pam_unix_auth.so.1

Excluded users fall thru to get authenticated in the same manner they 
would be if we weren't using the two factor auth product.

There is no Solaris 8 version of the pam_safeword.so.1 module used 
above, so we'd like to use  pam_radius_auth.so .... but have a strong 
need for that xusers= option or something that'll accomplish the same 

However, we have few C development skills in our shop and those we have 
are rusty.   And then there's the problem that we aren't very familiar 
with PAM internals!

Does the community see value in this enhancement?  Anyone interested in 
working on it?  Or is it already there and I haven't found it in the doc?

More information about the Freeradius-Devel mailing list