Is it possible to use CHAP authentication with pam_radius?
Dan Swartzendruber
dswartz at druber.com
Thu Sep 26 19:06:02 CEST 2019
I'm trying to implement external authentication for an appliance running
CentOS 7. My research turned up the easiest solution as simply
installing pam_radius from the repository. I did, and it works just
fine (tested against a Freeradius 3.0 server with a single test user.)
Running freeradiux with '-X' indicates that is using PAP:
(0) User-Name = "XXX"
(0) User-Password = "XXX"
(0) NAS-IP-Address = XXX.XXX.XXX.XXX
(0) NAS-Identifier = "sshd"
(0) NAS-Port = 15050
(0) NAS-Port-Type = Virtual
(0) Service-Type = Authenticate-Only
...
(0) Found Auth-Type = PAP
(0) # Executing group from file
/etc/freeradius/3.0/sites-enabled/default
(0) Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0) [pap] = ok
(0) } # Auth-Type PAP = ok
For security reasons, I'd really like to use CHAP instead, but it
doesn't seem to support that? The man pages and such don't mention
CHAP. I went as far as downloading 1.4.0 and extracting the tarball and
looking at the code. User-Password is Radius attribute 2, and looking
at the source:
0 radius.h <global> 71 #define PW_PASSWORD 2
and
1 pam_radius_auth.c add_password 541 attr =
find_attribute(request,
PW_PASSWORD);
2 pam_radius_auth.c add_password 543 if (type == PW_PASSWORD) {
3 pam_radius_auth.c build_radius_packet 721 add_password(request,
PW_PASSWORD,
password,
conf->server->secret);
4 pam_radius_auth.c build_radius_packet 727 add_password(request,
PW_PASSWORD,
"", conf->server->secret);
5 pam_radius_auth.c talk_radius 975 add_password(request,
PW_PASSWORD,
password, old_password);
6 pam_radius_auth.c talk_radius 978 add_password(request,
PW_PASSWORD,
password, server->secret);
Am I missing something? Or am I out of luck? Thanks!
More information about the Freeradius-Users
mailing list