Removing local auth (freeradius server 2.1.9)

Alan DeKok aland at
Thu Jun 10 22:55:13 CEST 2010

Martin Richard wrote:
>   When starting radiusd -X (yes, I've looked at the output) and testing
> these 2 most simple accounts with radtest, the first one fails while the
> second one works. The difference being that there's a "mrichard" account
> on the box in /etc/passwd while "mrichard2" only exists in radiusd's
> config. Hence the output differences when calling "radtest thelogin
> qwerty localhost 666 testing123" (cut) :

  As the debug log shows, it's using the Unix password for the user,
rather than the password from the "users" file.

>   After a bit of searching I found a reference in the ML archives to
> $confdir/sites-enabled/default and saw "unix" in there with the
> description saying it caches the hashes from /etc/passwd and its
> accompanying shadow.

  Not exactly.  It looks up the user in /etc/passwd, and if found, adds
the password as the "known good" password.

> I've commented those lines and restarted the
> daemon. Now I get this in the PAP output for both users:
> [pap] WARNING! No "known good" password found for the user. 
> Authentication may fail because of this.

  Does the "files" module say that they were found in the "users" file?

>   I must be missing something rather obvious.. But how can I totally
> disable the lookup of OS accounts ?

  Delete "unix" from raddb/sites-enabled/default, section "authorize"

  Alan DeKok.

More information about the Freeradius-Users mailing list