Freeradius not always denying invalid users

Chris Moss cmoss28 at vci.net
Wed Sep 3 17:42:37 CEST 2008


We are running version 1.1.3. We do have thousands of users in the 
passwd file, could that have something to do with it? Is there a way to 
tell the radius server that if it can't authenticate to deny it. I'm 
wondering if the OS itself is getting overloaded causing this.

Chris Moss




Alan DeKok wrote:
> Chris Moss wrote:
>   
>> Here is an example of a user who is turned off. This shows the invalid
>> shell where it pulls out part of the passwd entry of another user. Note
>> the username in this is all the same user.
>>
>> Wed Sep  3 08:33:34 2008 : Auth: rlm_unix: [username]: invalid password
>>     
>
>   The server just does system calls to get the password from
> /etc/passwd.  If that says the user's password is incorrect, it's
> incorrect.  No amount of poking the server will change that.
>
>   
>> Wed Sep  3 08:33:48 2008 : Auth: rlm_unix: [username]: invalid shell
>> [*one Oak United Methodist:/home/loumc:/bin/false*
>>     
>
>   The server just does a system call to get the user's shell, and
> validate that against the list of valid shells.  If that says the shell
> is invalid, there's little the server can do.
>
>   i.e. the server is relying on the OS and libraries to get  information
> from the password file.  "one Oak United.." is obviously not the correct
> user shell.  So I'd say there's something wrong with your local system.
>
>   *Unless*, of course you're using an old version of the server, and
> have configured it to read /etc/passwd itself.  This isn't recommended
> even in old versions of the server.  So... don't enable caching in the
> "unix" module.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> .
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080903/83a7cbac/attachment.html>


More information about the Freeradius-Users mailing list