Removing local auth (freeradius server 2.1.9)
Alan DeKok
aland at deployingradius.com
Thu Jun 10 22:55:13 CEST 2010
Martin Richard wrote:
> When starting radiusd -X (yes, I've looked at the output) and testing
> these 2 most simple accounts with radtest, the first one fails while the
> second one works. The difference being that there's a "mrichard" account
> on the box in /etc/passwd while "mrichard2" only exists in radiusd's
> config. Hence the output differences when calling "radtest thelogin
> qwerty localhost 666 testing123" (cut) :
As the debug log shows, it's using the Unix password for the user,
rather than the password from the "users" file.
> After a bit of searching I found a reference in the ML archives to
> $confdir/sites-enabled/default and saw "unix" in there with the
> description saying it caches the hashes from /etc/passwd and its
> accompanying shadow.
Not exactly. It looks up the user in /etc/passwd, and if found, adds
the password as the "known good" password.
> I've commented those lines and restarted the
> daemon. Now I get this in the PAP output for both users:
>
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
Does the "files" module say that they were found in the "users" file?
> I must be missing something rather obvious.. But how can I totally
> disable the lookup of OS accounts ?
Delete "unix" from raddb/sites-enabled/default, section "authorize"
Alan DeKok.
More information about the Freeradius-Users
mailing list