trying to override the pam_auth attribute

Alan DeKok aland at deployingradius.com
Wed Aug 25 03:27:35 CEST 2021 

> On Aug 24, 2021, at 9:09 PM, Jonathan Davis <jonathan at prioritycolo.com> wrote:
> 
> On 2021-08-24 7:21 p.m., Alan DeKok wrote:
>>   How?  What did you do?
> 
> Looking at mods-enabled/pam I added in following the same synatx: pam_auth = radiusd2

  That doesn't tell me a lot.

> I also tried:
> 
> pam {
> 
>     pam_auth = radiusd2
> 
> }
> 
> But that gave me the error that  "pam" modules aren't allowed in 'authorize' sections -- they have no such method.

  So... you added random text to the configuration files.  No, that won't work.

>>   So... what's on line 329 of the file /etc/freeradius/3.0/sites-enabled/default?
> 
> pam_auth = radiusd2

  Nothing in the documentation says to do that.

> When I look in man unlang I'm reading a lot on comparisons and logic statements, and don't fully understand the attributes assignment section, as in the example:
> 
>         Attribute-Reference = value
> 
> That is what I thought I was doing? In the authentication section, where I match the Auth-Type I want, I've tried the following with no luck:
> 
> update request {
>     pam_auth = radiusd2
> }

  That's a bit better.

> Error: Unknown attribute 'pam_auth'

  Because the docs say "Pam-Auth".  Not "pam_auth".

> update request {
>     pam-auth = radiusd2
> }
> 
> No error but I see it's using /etc/pam.d/radiusd instead of /etc/pam.d/radiusd2
> "-> (0) pam: Using pamauth string "radiusd" for pam.conf lookup"
> 
> Which lead me to trying to update the pamauth string (even if in pam.conf it's set with pam_auth)
> 
> update request {
>     pamauth = radiusd2
> }
> Error: Unknown attribute 'pamauth'

  So trying random things.  This is very much not going to work.

> Tried the above with just update { } to similar errors. Also tried:
> 
> pam {
>     pam_auth = radiusd2
> }
> 
> pam {
>     pamauth = radiusd2
> }
> 
> Error: Unknown action 'radiusd2' Failed to parse "pam" subsection.
> 
> I have read some documentation :) As this is the comment:
> 
>         #  Note that any Pam-Auth attribute set in the 'authorize'

  Note "Pam-Auth.  Not "pam_auth" or "pamauth" or anything else.

  Please follow the docs.  Things are likely to work a lot better.

>         #  section will over-ride this one.
> 
> So I mean, full circle, what am I missing from trying to set a Pam-Auth attribute in authorize? I'm very willing to eat humble pie if I've missed how to do this in the docs (

  So you can use "Pam-Auth" here.  Why not try it in the configuration files?

  Alan DeKok.

More information about the Freeradius-Users mailing list