exec module bash script authentication

Ahmet Hakan ahmetha at outlook.com
Sat Oct 19 23:36:18 CEST 2013 

>Alan DeKok wrote:
> > I am using sql authentication with mysql successfuly and
> > I want to add second authentication via bash. (if sql authentication
> > fail then check bash authentication)
> 
>   That's usually bad practice.  An authentication reject is a reject.
> Trying *another* method is usually wrong.  Instead, figure out which
> method is supposed to be used, and use that.

I have separate databases; mysql, ldap and Microsoft SQL
so I need multiple authentication.
is multiple authentication possible  in freeradius? if yes, how?
 
> > I added file (bashauth) to module directory  
> >  
> > exec bashauth {
> >     wait = yes
> >     program = "/usr/local/bin/bash /bin/radcheck %{User-Name}
> > %{User-Password}"
> 
>   Huh?  Why "/usr/local/bin/bash /bin/radcheck"  ?  Why not just run
> radcheck directly?
> 
>   And that exposes the password to anyone running "ps".

I corrected.
Server is single user system no another users exist.
 
> 
>   Perhaps you could try setting Auth-Type := bashauth.
 
Which section must I define this setting?
 
I defined it in users file,
DEFAULT Auth-Type := "bashauth"
but it overrides mysql authentication.
 
  
 
Best Regards,
 
Ahmet Hakan
 
> 
> Ahmet Hakan wrote:
> > I am new at freeradius (2.1.4) 
> 
>   I'd suggest upgrading, but whatever...
> 
> > I am using sql authentication with mysql successfuly and
> > I want to add second authentication via bash. (if sql authentication
> > fail then check bash authentication)
> 
>   That's usually bad practice.  An authentication reject is a reject.
> Trying *another* method is usually wrong.  Instead, figure out which
> method is supposed to be used, and use that.
> 
>   Also, using the "exec" functionality will slow the server down.
> Especially under load.
> 
> > I added file (bashauth) to module directory  
> >  
> > exec bashauth {
> >     wait = yes
> >     program = "/usr/local/bin/bash /bin/radcheck %{User-Name}
> > %{User-Password}"
> 
>   Huh?  Why "/usr/local/bin/bash /bin/radcheck"  ?  Why not just run
> radcheck directly?
> 
>   And that exposes the password to anyone running "ps".
> 
> > then I modified sites-enabled/default
> >  
> > authorize {
> > ...
> > bashouth
> 
>   Why are you listing it in the "authorize" section?
> 
> > but I cant authenticate user via bash script
> >  
> > radiusd -X output is below.
> >  
> > [bashauth]      expand: %{User-Name} -> a
> > [bashauth]      expand: %{User-Password} -> a
> > Exec-Program output:
> > Exec-Program: returned: 0
> > ++[bashauth] returns ok
> > [pap] WARNING! No "known good" password found for the user. 
> > Authentication may fail because of this.
> > ++[pap] returns noop
> > No authenticate method (Auth-Type) configuration found for the request:
> > Rejecting the user
> > Failed to authenticate the user.
> 
>   The above message is fairly clear.
> 
>   Perhaps you could try setting Auth-Type := bashauth.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131020/298057bb/attachment.html>

More information about the Freeradius-Users mailing list