Expired unix system passwords
James Smallacombe
up at 3.am
Wed Oct 7 00:42:33 CEST 2009
On Tue, 6 Oct 2009, John Dennis wrote:
> On 10/06/2009 01:56 PM, James Smallacombe wrote:
>>
>> Has anyone had any luck getting FreeRadius to recognise expired Linux
>> system passwords as defined in /etc/login.defs ? sshd and imapd honors
>> it, but FreeRadius does not. It appears enabled by default...is there
>> anything else that needs to be done on the FreeRadius server config? On
>> the NAS?
>>
> yes, the distinction between rlm_unix and rlm_pam
>
> rlm_unix bypasses the entire login mechanism and directly reads the shadow
> file, not only is this a security hazard but because it bypasses all the
> login checking you lose another layer of security as you've discovered.
Thanks for your response...I had discarded the notion of using pam for
this because of this warning in the radiusd.conf:
# WARNING: On many systems, the system PAM libraries have
# memory leaks! We STRONGLY SUGGEST that you do not
# use PAM for authentication, due to those memory leaks.
However, I did just try using this:
Auth-Type = Pam
For a test user, and got this in debug:
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = PAM
WARNING: Unknown value specified for Auth-Type. Cannot perform
requested action.
Failed to authenticate the user.
The module appears enabled in raddb/radiusd.conf and I did put the
recommended entries into /etc/pam.d/radiusd.
Is there something else?
Thanks again!
James Smallacombe PlantageNet, Inc. CEO and Janitor
up at 3.am http://3.am
=========================================================================
More information about the Freeradius-Users
mailing list