Ignore privileged users in PAM_RADIUS auth

Bob Probert bruisebrotherprobert at gmail.com
Wed May 14 20:43:15 CEST 2014


Hello all,

I'm developing PAM policy for a server in which my organization doesn't
have control of the RADIUS infrastructure. This particular system is using
the RADIUS PAM module only for authentication purposes -- an account must
be present on the system in order for a login to be successful.

The users of this system must never have access to two accounts -- one
we'll call 'system' the other is 'root'. The PAM configuration has
'PAM_RADIUS auth sufficient' prior to Unix auth. I'm concerned that if a
RADIUS administrator adds an account for 'root' or 'system' in the RADIUS
infrastructure, the user will then get unauthorized "root" or "system"
access.

Has anyone on the list encountered a similar issue? After inspecting the
RADIUS PAM module code, it appears that there aren't any hooks for
disabling RADIUS auth for certain users. This appears to be a rather
trivial feature to implement, if I add this functionality to the module, is
there any interest in my patch? Any other ideas?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140514/9ee78580/attachment.html>


More information about the Freeradius-Users mailing list