exec module bash script authentication
Alan DeKok
aland at deployingradius.com
Sat Oct 19 15:44:12 CEST 2013
Ahmet Hakan wrote:
> I am new at freeradius (2.1.4)
I'd suggest upgrading, but whatever...
> I am using sql authentication with mysql successfuly and
> I want to add second authentication via bash. (if sql authentication
> fail then check bash authentication)
That's usually bad practice. An authentication reject is a reject.
Trying *another* method is usually wrong. Instead, figure out which
method is supposed to be used, and use that.
Also, using the "exec" functionality will slow the server down.
Especially under load.
> I added file (bashauth) to module directory
>
> exec bashauth {
> wait = yes
> program = "/usr/local/bin/bash /bin/radcheck %{User-Name}
> %{User-Password}"
Huh? Why "/usr/local/bin/bash /bin/radcheck" ? Why not just run
radcheck directly?
And that exposes the password to anyone running "ps".
> then I modified sites-enabled/default
>
> authorize {
> ...
> bashouth
Why are you listing it in the "authorize" section?
> but I cant authenticate user via bash script
>
> radiusd -X output is below.
>
> [bashauth] expand: %{User-Name} -> a
> [bashauth] expand: %{User-Password} -> a
> Exec-Program output:
> Exec-Program: returned: 0
> ++[bashauth] returns ok
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] returns noop
> No authenticate method (Auth-Type) configuration found for the request:
> Rejecting the user
> Failed to authenticate the user.
The above message is fairly clear.
Perhaps you could try setting Auth-Type := bashauth.
Alan DeKok.
More information about the Freeradius-Users
mailing list