ntlm remotely ? - too much to...

Alan DeKok aland at deployingradius.com
Fri Jun 17 15:43:08 CEST 2016


> On Jun 17, 2016, at 9:29 AM, lejeczek via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> ... ask of a radius server? To authenticate with a non-local, a remote ntlm/winbind ? Too much?

  Don't use PAM.  It's intended for applications to do user authentication... once.

  Maybe they've fixed it, but PAM used to leak memory like crazy when FreeRADIUS used it for repeated authentication.

  And whatever PAM can do for authentication... FreeRADIUS can do better.  And simpler.  And more controlled.

  PAM stands for "pluggable authentication modules".  Well, FreeRADIUS is an authentication server.  And FreeRADIUS has pluggable modules.  And FreeRADIUS has "unlang', and a configuration which is infinitely more flexible than PAM.

  The only reason to use PAM is when you need to use a proprietary authentication plugin that is only supplied via PAM.  And even then, it's only good for PAP authentication.

  PAM doesn't do CHAP, MS-CHAP, EAP, or any other authentication method.

  Don't use PAM.

  Alan DeKok.




More information about the Freeradius-Users mailing list