Freeradius not always denying invalid users
Alan DeKok
aland at deployingradius.com
Wed Sep 3 17:05:54 CEST 2008
Chris Moss wrote:
> Here is an example of a user who is turned off. This shows the invalid
> shell where it pulls out part of the passwd entry of another user. Note
> the username in this is all the same user.
>
> Wed Sep 3 08:33:34 2008 : Auth: rlm_unix: [username]: invalid password
The server just does system calls to get the password from
/etc/passwd. If that says the user's password is incorrect, it's
incorrect. No amount of poking the server will change that.
> Wed Sep 3 08:33:48 2008 : Auth: rlm_unix: [username]: invalid shell
> [*one Oak United Methodist:/home/loumc:/bin/false*
The server just does a system call to get the user's shell, and
validate that against the list of valid shells. If that says the shell
is invalid, there's little the server can do.
i.e. the server is relying on the OS and libraries to get information
from the password file. "one Oak United.." is obviously not the correct
user shell. So I'd say there's something wrong with your local system.
*Unless*, of course you're using an old version of the server, and
have configured it to read /etc/passwd itself. This isn't recommended
even in old versions of the server. So... don't enable caching in the
"unix" module.
Alan DeKok.
More information about the Freeradius-Users
mailing list