Ignore privileged users in PAM_RADIUS auth
bruisebrotherprobert at gmail.com
Wed May 14 20:43:15 CEST 2014
I'm developing PAM policy for a server in which my organization doesn't
have control of the RADIUS infrastructure. This particular system is using
the RADIUS PAM module only for authentication purposes -- an account must
be present on the system in order for a login to be successful.
The users of this system must never have access to two accounts -- one
we'll call 'system' the other is 'root'. The PAM configuration has
'PAM_RADIUS auth sufficient' prior to Unix auth. I'm concerned that if a
RADIUS administrator adds an account for 'root' or 'system' in the RADIUS
infrastructure, the user will then get unauthorized "root" or "system"
Has anyone on the list encountered a similar issue? After inspecting the
RADIUS PAM module code, it appears that there aren't any hooks for
disabling RADIUS auth for certain users. This appears to be a rather
trivial feature to implement, if I add this functionality to the module, is
there any interest in my patch? Any other ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Freeradius-Users