Kerberos (krb5) Module Overrides Other Authentication Types . . .

Alan DeKok aland at
Sat Apr 3 17:16:09 CEST 2010

John Dennis wrote:
> Why does rlm_krb5 have behavior seemingly at
> odds with the other types of modules in it's family (e.g. those which
> can authenticate given a cleartext password).

  *some* authentication modules can be listed in "authorize":

	* chap
	* mschap
	* eap

  This is because the *type* of authentication shows up in the packet:

	* CHAP-Password
	* MSCHAP-Challenge / Response
	* EAP-Message

  There is no corresponding attribute for Kerberos.  There is no
corresponding attribute for LDAP.

  On top of that, Kerberos, LDAP, etc. usually work *only* for
User-Password.  And there many, many such modules.  "Automatically"
choosing one is hard.  If you can edit *anything* to require a
particular authentication back-end, you might as well do it by setting

  Alan DeKok.

More information about the Freeradius-Users mailing list