Having trouble with "passwd" authentication

Matthew Newton mcn at freeradius.org
Fri Oct 15 19:16:48 CEST 2021

On 15/10/2021 17:39, Darcy Boese wrote:
> So I have installed a completely fresh freeradius 3.0 server, and
> after a lot of tinkering and quite a bit of hair-pulling, I managed to
> get it into a state where it will authenticate usernames and passwords
> against the /etc/radius/shadow file.

Sounds good.

> To get that far, I'd modified the "mods-enabled/passwd" to read:
> passwd shadow {
>          filename = /etc/radius/shadow
>          format = "*User-Name:Crypt-Password:"
>          hash_size = 100
>          ignore_nislike = no
>          allow_multiple_keys = no
> }
> and in the "sites-available/default" file where it listed "unix"
> (approx line 400 in the "authorize" section) I listed "shadow"
> instead. Easy peasy, so to speak.
OK. So that will look up the full User-Name attribute in the shadow 
file, and extract Crypt-Password.

> But there's still one major hitch that I cannot seem to get straight.
> Getting authentication to work when the username has an attached
> "realm" is failing, and I'm utterly boggled for now as to where or
> what I need to change, because it's totally different from the old but
> still-plugging-along server.
> So this works:
> radtest <username> <password> localhost 5000 testing123
> but this fails:
> radtest <username at domain> <password> localhost 5000 testing123
> As far as I can gather, there's no "nostrip" option enabled anywhere,
> yet the realm isn't being stripped before being matched via the passwd
> module.

As you realise, you need to strip the realm off before looking up the 
account in the shadow file.

There's several ways to do it.

If they are known realms, and you want to reject all else, then you can 
add them to the proxy.conf, e.g.

   realm example1.com {

   realm example2.com {

and then make sure you call 'suffix' before you call 'shadow'. That will 
give you two new attributes, 'Stripped-User-Name', and 'Realm'.

Alternatively, call 'split_username_nai', again before 'shadow'. That is 
a standard policy (from policy.d/canonicalization) which will use a 
regex to split User-Name into 'Stripped-User-Name' and 

Both of these will mean you need to update your passwd config to use 
'Stripped-User-Name' instead of 'User-Name'.

If you actually care about what the realm is, rather than just discard 
it, then you'd need to do something else such as put that in the shadow 
file - but I get the impression that you just want it removed.


More information about the Freeradius-Users mailing list