Ignore privileged users in PAM_RADIUS auth

Bob Probert bruisebrotherprobert at gmail.com
Wed May 14 22:09:26 CEST 2014

Thanks Eero and Alan, this is exactly the information I was looking for.

I had a feeling that a new "feature" wasn't going to be necessary, thanks
for the confirmation.

On Wed, May 14, 2014 at 12:05 PM, Eero Volotinen <eero.volotinen at iki.fi>wrote:

> this is pam related configuration..
> take look of this example:
> # Prevent the following 1 rule from applying to root
>  auth [default=1 success=ignore] pam_succeed_if.so uid > 0
>  # Configure PAM to use RADIUS with possible to local fallback, only if radius/proxy
> server is down..
>  auth [success=done new_authtok_reqd=done ignore=ignore default=die]
> pam_radius_auth.so localifdown
> 2014-05-14 21:43 GMT+03:00 Bob Probert <bruisebrotherprobert at gmail.com>:
>> Hello all,
>> I'm developing PAM policy for a server in which my organization doesn't
>> have control of the RADIUS infrastructure. This particular system is using
>> the RADIUS PAM module only for authentication purposes -- an account must
>> be present on the system in order for a login to be successful.
>> The users of this system must never have access to two accounts -- one
>> we'll call 'system' the other is 'root'. The PAM configuration has
>> 'PAM_RADIUS auth sufficient' prior to Unix auth. I'm concerned that if a
>> RADIUS administrator adds an account for 'root' or 'system' in the RADIUS
>> infrastructure, the user will then get unauthorized "root" or "system"
>> access.
>> Has anyone on the list encountered a similar issue? After inspecting the
>> RADIUS PAM module code, it appears that there aren't any hooks for
>> disabling RADIUS auth for certain users. This appears to be a rather
>> trivial feature to implement, if I add this functionality to the module, is
>> there any interest in my patch? Any other ideas?
>> Thanks!
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140514/9fbe0be4/attachment.html>

More information about the Freeradius-Users mailing list