[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pam and radius


I'm really new to this list so please excuse me if I say anything

We would also like to use RADIUS for authentication, but I have a few
questions about PAM, specifically about module writing.

Basically we'd like to not have an /etc/passwd file, or have a very
truncated one. We'd like to make all enquiries for authentication to be via
the network to a central server... but we don't want to use NIS.

I've looked through the volumes of documentation but couldn't access the
actual DCE-RFC document (from the web pages at parc.power.net). So here are
my questions!

I can't work out where the user ID and group ID(s) are supposed to be set
by PAM. In fact, from reading the pam_unix*.c and login.c code it seems to
me that it's still the application's responsability to determine a numeric
UID and GID(s)... which seems quite strange to me. Is there a standard way
my PAM module can be asked to set the UID and GID(s) of the user to be
authenticated? I understand there has been substantial debate about this so
a pointer to the discussions would be great. I can't see how PAM can work
without being able to setuid() or tell the calling application the UID/GIDs
of the user, so I figure I may just have missed something here.

Also, I don't know how I can simply test for the existance of a user (ie,
without a password). Would this be done by a pam module which authenticates
the user if s/he simply exists, and otherwise permits access? My question
here relates specifically to e-mail delivery - if I want to use PAM to
verify the existance of a user without requiring a password, then I suppose
I would just make that configuration by setting up /etc/pam.conf

> We have it working here with authentication against the Merit daemon. The
> Merit daemon is very very dodgy code. Unfortunately it doesn't look like
> it's going to be releasable (the module relies on our own rather
> modified version of the Merit code.)

The Merit code is very dodgy... I'm pleased to see someone else thinks so
too! I am playing with the idea of a Java-based RADIUS server... that's
quite off-topic but if anyone's interested I'd like to hear from you.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []