Freeradius not always denying invalid users
Chris Moss
cmoss28 at vci.net
Wed Sep 3 17:42:37 CEST 2008
We are running version 1.1.3. We do have thousands of users in the
passwd file, could that have something to do with it? Is there a way to
tell the radius server that if it can't authenticate to deny it. I'm
wondering if the OS itself is getting overloaded causing this.
Chris Moss
Alan DeKok wrote:
> Chris Moss wrote:
>
>> Here is an example of a user who is turned off. This shows the invalid
>> shell where it pulls out part of the passwd entry of another user. Note
>> the username in this is all the same user.
>>
>> Wed Sep 3 08:33:34 2008 : Auth: rlm_unix: [username]: invalid password
>>
>
> The server just does system calls to get the password from
> /etc/passwd. If that says the user's password is incorrect, it's
> incorrect. No amount of poking the server will change that.
>
>
>> Wed Sep 3 08:33:48 2008 : Auth: rlm_unix: [username]: invalid shell
>> [*one Oak United Methodist:/home/loumc:/bin/false*
>>
>
> The server just does a system call to get the user's shell, and
> validate that against the list of valid shells. If that says the shell
> is invalid, there's little the server can do.
>
> i.e. the server is relying on the OS and libraries to get information
> from the password file. "one Oak United.." is obviously not the correct
> user shell. So I'd say there's something wrong with your local system.
>
> *Unless*, of course you're using an old version of the server, and
> have configured it to read /etc/passwd itself. This isn't recommended
> even in old versions of the server. So... don't enable caching in the
> "unix" module.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> .
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080903/83a7cbac/attachment.html>
More information about the Freeradius-Users
mailing list