Expired unix system passwords

James Smallacombe up at 3.am
Wed Oct 7 00:42:33 CEST 2009


On Tue, 6 Oct 2009, John Dennis wrote:

> On 10/06/2009 01:56 PM, James Smallacombe wrote:
>> 
>> Has anyone had any luck getting FreeRadius to recognise expired Linux
>> system passwords as defined in /etc/login.defs ? sshd and imapd honors
>> it, but FreeRadius does not. It appears enabled by default...is there
>> anything else that needs to be done on the FreeRadius server config? On
>> the NAS?
>> 
> yes, the distinction between rlm_unix and rlm_pam
>
> rlm_unix bypasses the entire login mechanism and directly reads the shadow 
> file, not only is this a security hazard but because it bypasses all the 
> login checking you lose another layer of security as you've discovered.

Thanks for your response...I had discarded the notion of using pam for 
this because of this warning in the radiusd.conf:

       #  WARNING: On many systems, the system PAM libraries have
         #           memory leaks!  We STRONGLY SUGGEST that you do not
         #           use PAM for authentication, due to those memory leaks.

However, I did just try using this:

Auth-Type = Pam

For a test user, and got this in debug:

[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = PAM
   WARNING: Unknown value specified for Auth-Type.  Cannot perform 
requested action.
Failed to authenticate the user.

The module appears enabled in raddb/radiusd.conf and I did put the 
recommended entries into /etc/pam.d/radiusd.

Is there something else?

Thanks again!

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up at 3.am							    http://3.am
=========================================================================



More information about the Freeradius-Users mailing list