ntlm remotely ? - too much to...

Mike Ely me at mikeely.org
Fri Jun 17 17:56:39 CEST 2016

On 06/17/2016 06:43 AM, Alan DeKok wrote:
>> On Jun 17, 2016, at 9:29 AM, lejeczek via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> ... ask of a radius server? To authenticate with a non-local, a remote ntlm/winbind ? Too much?
>    Don't use PAM.  It's intended for applications to do user authentication... once.
>    Maybe they've fixed it, but PAM used to leak memory like crazy when FreeRADIUS used it for repeated authentication.
>    And whatever PAM can do for authentication... FreeRADIUS can do better.  And simpler.  And more controlled.
>    PAM stands for "pluggable authentication modules".  Well, FreeRADIUS is an authentication server.  And FreeRADIUS has pluggable modules.  And FreeRADIUS has "unlang', and a configuration which is infinitely more flexible than PAM.
>    The only reason to use PAM is when you need to use a proprietary authentication plugin that is only supplied via PAM.  And even then, it's only good for PAP authentication.
>    PAM doesn't do CHAP, MS-CHAP, EAP, or any other authentication method.
>    Don't use PAM.
I think you were answering my thread, based on context. I'm not sold on 
PAM, just surprised and slightly frustrated at the fact that (as of my 
Googling thus far) there doesn't appear to be a Perl module capable of 
handling MS-CHAP authentication (on the NAS side - we're already using 
rlm_perl to good effect on the radius server). I've got winbind running 
over PAP from the wiki example, and that'll just have to do for now.

More information about the Freeradius-Users mailing list