Authorization with Client PAM Library
Alan DeKok
aland at deployingradius.com
Wed Oct 12 17:18:02 CEST 2011
Evan Huus wrote:
> The problem is that pam_radius_auth (to the best of my knowledge)
> silently ignores any VSAs in the messages it receives. This makes
> sense from its perspective, since PAM is purely for authentication.
Yes. And PAM can't change user authorization or permissions. So I
really have no idea why anyone uses PAM.
> The best solution I've come up with has pam_radius_auth forwarding the
> Access-Accept messages to a configurable port on the local machine.
> Our daemon can then listen on that port and extract the data it needs.
> This solution is very ugly, and I'm hoping that there's a better way
> I'm just not aware of.
>
> Any suggestions or information you can provide are very much appreciated.
If you can figure out how to get PAM to set UID/GID/shell/etc., I'd be
happy.
Alan DeKok.
More information about the Freeradius-Users
mailing list