[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pamifying a RADIUS daemon - help



> I've been planning to PAMify a radius daemon, that is to make it use
> PAM to decide wether the requests it accepts should be appruved
> instead of accessing /etc/passwd directly.

There is a pamified radiusd -- a pamification of Christian's mods to the
livingston radiusd... As the cistron radiusd, if I remember, is also
derived from the livingston source, perhaps those patches wouldn't be too
hard to make work....

> 
> My ultimate goal with this is to write a PAM module which will access
> a relational database (probably MySQL) in order to fetch both the
> encypted passwords and permissions based on time-of-day and number of
> concurrent logins.

Hmm... a database backend sounds cool... but, perhaps you should think
about writing a couple modules:

1) One that can get usernames and passwords out of MySQL and do the
various pam fucntions, using MySQL
2) A time-of-day module, except that I think this already exists
3) A concurrent login module, which I don't think exists but should, IMHO.
Perhaps
ftp://ftp.cc.gatech.edu/pub/linux/system/admin/login/loginhog-1.00.tar.gz
(or insert your favorite sunsite mirror here) is a start on such
code... It checks for concurrent logins in a utmp file...

If you had that, then you'd have a setup something like this

auth <MySQL auth function>
account <time of day, concurrent login modules>
session <some utmp style logging>
passwd <MySQL's passwd change function>

This isn't ideal, however, but it seems somewhat unavoidable that the
concurrent login module would be dependent on the logging module being
used, unless I'm missing some sort of way in which pam basically allows
you to say "hey, check the logs, is anyone on?" and not have to know how
to check the accounting logs yourself... Perhaps it is this situation
which makes you say that this wasn't the intended use of PAM?

Myself, I'm pretty much a lurker and could very easily be wrong about any
of the above -- so if I am, I hope someone will jump in and correct me...

Best,
Jim Hebert
jhebert@compu-aid.com




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []