[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: PPP + RADIUS authentication using PAM

On Wed, 1 Nov 2000, The Big Guy wrote:

>> How do you see PAM being useful in your configuration?  It's possible that
>> PAM may be useful at some stage of this process, but I don't see where.

> PAM's useful in this area when you consider that you've got PHP, MySQL,
> Apache, Squid and PPPd all configured for PAM, and then you want to cast the
> box "out there" somewhere.  It leaves ample room for all applications to be
> configured against the same authing mechanism with minimal effort - this is
> particularly relevant when the box could change authentication (Ie; from
> Radius to Tacacs .. or worse case - to NT's SMB auth).

The problem here is that the poster explicitly stated this needed to work with
PPP CHAP authentication.  That means that it WON'T work with pam_pwdb,
pam_unix, pam_kerberos, pam_ntdom, pam_userdb, or any other PAM module that
backends onto a user database where passwords are stored in encrypted form.  I
would be surprised if pam_ldap worked at all, and pam_radius_auth will only
work if talking to a Radius server that supports CHAP -- which rules out most
of the Radius servers that run under Unix.  And that pretty much takes me to
the end of the list of PAM authentication modules that I can think of.  Unless
you have PHP, MySQL, Apache, Squid, and pppd all configured for PAM and using
a module /other/ than the above, one which uses a cleartext password database,
then you don't gain any interoperability at all by introducing PAM into the
above equation.

Steve Langasek
postmodern programmer

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []