[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Patch to allow RADIUS authentication with pam_pwdb



This is a somewhat rough patch to the pam_pwdb module in 0.58 that allows
pam_pwdb to be used to authenticate users from a RADIUS server. Basically
it works around the fact that the encrypted password is not available in
this case. I'm not 100% happy with the way this patch works just yet, but
it _does_ work, which what was important for me at the time I wrote it.

I'm successfully using this on the production shell machine at mich.com
and we haven't noticed any problems whatsoever. In fact we're running with
nothing but an /etc/passwd without any passwords in it; all the passwords
are stored on the RADIUS server.

I'm also experimenting with the ability to eliminate /etc/passwd entirely;
my RADIUS server is already hacked to return the the home directory,
shell, etc., but the session and accounting parts of the pwdb module can't
handle the lack of /etc/passwd quite yet.

Anyway, here's the patch. If you want to use this, you need to specify the
'radius' option on the authentication like in your pam.conf file or pam.d
files. You don't have to mess with /etc/pwdb.conf since this patch will
force the PWDB library to use ther RADIUS server when you specifiy the
'radius' option.

--- support.-c.orig	Fri Aug 29 16:48:14 1997
+++ support.-c	Fri Aug 29 17:39:18 1997
@@ -433,6 +433,7 @@
 {
     const struct pwdb *pw=NULL;
     const struct pwdb_entry *pwe=NULL;
+    const pwdb_type tlist[2] = { PWDB_RADIUS, _PWDB_MAX_TYPES };
 
     const char *salt;
     char *pp;
@@ -451,7 +452,11 @@
     /* locate the entry for this user */
 
     D(("locating user's record"));
-    retval = pwdb_locate("user", PWDB_DEFAULT, name, PWDB_ID_UNKNOWN, &pw);
+    if (on(UNIX_RADIUS,ctrl)) {
+	retval = pwdb_locate("user", tlist, name, PWDB_ID_UNKNOWN, &pw);
+    } else {
+	retval = pwdb_locate("user", PWDB_DEFAULT, name, PWDB_ID_UNKNOWN, &pw);
+    }
     if (retval == PWDB_PASS_PHRASE_REQD) {
 	/*
 	 * give the password to the pwdb library. It may be needed to
@@ -496,8 +501,12 @@
 	    D(("running helper binary"));
 	    retval = pwdb_run_helper_binary(pamh, p);
 	} else {
-	    retval = PAM_AUTHINFO_UNAVAIL;
-	    _log_err(LOG_ALERT, "get passwd; %s", pwdb_strerror(retval));
+	    if (on(UNIX_RADIUS,ctrl)) {
+		retval = PAM_SUCCESS;
+	    } else {
+		retval = PAM_AUTHINFO_UNAVAIL;
+		_log_err(LOG_ALERT, "get passwd; %s", pwdb_strerror(retval));
+	    }
 	}
 	(void) pwdb_delete(&pw);
 	p = NULL;


-- 
funaho@jurai.org             | And when you peel back my eyes
http://www.jurai.org/~funaho | I see the pain and feel alive...
                             |              - KMFDM, "Ultra"



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []