Overriding a Crypt-Password with a Cleartext-Password in FR 3.x

Bjørn Mork bjorn at mork.no
Tue Jun 6 15:12:12 CEST 2017

I recently upgraded from FR 2.2.5 to FR 3.0.12 as part of an upgrade
from Debian jessie to stretch.  The config had to be migrated manually,
which went mostly without problems.

But there was one config pattern I have been unable to figure out how to
handle in FR 3.x:

I use the unix module to load crypt passwords for a few system
users. But there are also some unix users without any Unix password,
which should exist as RADIUS users. "no Unix password" means that the
users have a /etc/shadow entry which cannot be matched. So I need to
ignore the Crypt-Password attribute for these users.

In FR 2.x I explicitly set the Auth-Type to foribly ignore the invalid
Crypt-Password, like this:

 luser  Cleartext-Password := "foo", Auth-Type := Local

But FR 3.x refused to accept Auth-Type "Local". So I tried to modify the
entry to

 luser  Cleartext-Password := "foo"

in the hope that the pap module would be smart enough to figure out that
the Cleartext-Password should override the invalid Crypt-Password.  It
was not.

Being unable to figure out the smart way, I just took the simple route
out by doing

 luser  User-Password == "foo", Auth-Type := Accept

But this is a bit ugly and rightfully cause warnings like

 Tue Jun  6 15:05:03 2017 : Warning: Found User-Password == "..."
 Tue Jun  6 15:05:03 2017 : Warning: Are you sure you don't mean Cleartext-Password?
 Tue Jun  6 15:05:03 2017 : Warning: See "man rlm_pap" for more information

so I'd really like to figure out a better way.  Is there a smart way to
override a Crypt-Password per user in FR 3.x?  I guess I could generate
crypted passwords from the cleartext passwords and simply override
Crypt-Password in the users file.  But that does not seem much nicer
than the current User-Password match to me.  What I really want is to be
able to say "use this Cleartext-Password no matter what".


More information about the Freeradius-Users mailing list