From owner-freebsd-isp Thu Jun 26 16:42:24 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id QAA19635 for isp-outgoing; Thu, 26 Jun 1997 16:42:24 -0700 (PDT) Received: from absinthe.i3inc.com (Absinthe.i3inc.com [208.218.26.194]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id QAA19625 for ; Thu, 26 Jun 1997 16:42:15 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by absinthe.i3inc.com (8.7.2/8.7.2) with SMTP id TAA06164; Thu, 26 Jun 1997 19:40:11 -0400 (EDT) Message-Id: <199706262340.TAA06164@absinthe.i3inc.com> X-Authentication-Warning: absinthe.i3inc.com: Host localhost [127.0.0.1] didn't use HELO protocol To: tomthai@future.net Cc: freebsd-isp@freebsd.org, linuxisp@friendly.jeffnet.org Subject: Re: system passwd to RADIUS In-Reply-To: Your message of "Wed, 25 Jun 1997 18:50:18 -0500 (CDT)" References: X-Mailer: Mew version 1.03 on Emacs 19.34.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Thu, 26 Jun 1997 19:40:10 -0400 From: Chris Shenton Sender: owner-isp@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Wed, 25 Jun 1997 18:50:18 -0500 (CDT) "Tom T. Thai" wrote: tomthai> Any one know how to convert a unix password file to RADIUS? I think doing tomthai> a few thousand by had is very tedious :< Also, anyway to decrypt the tomthai> password with SU access? Why are you doing this? If you goal is to allow users to dial in and auth using RADIUS and their normal UNIX password, just tell RADIUS to use it. If you're assigning all (or a vast majority) of the users alike, then set the DEFAULT user. Example: # Validate normal (dynamic) users via UNIX /etc/passwd and /etc/shadow. # Time-outs: log them out after this many *seconds* if they are: # - idle too long: 30 minutes. # - connected over 8 hours solid. DEFAULT Auth-Type = System Service-Type = Framed-User, Framed-Protocol = PPP, Idle-Timeout = 1800, Session-Timeout = 28800 We precede this with non-DEFAULT users -- users with dedicated IP addresses, routed subnets, etc. But perhaps this isn't what you want. Be ware that if you do *copy* /etc/passwd stuff into the RADIUS users file, it will get out of sync when the user changes their normal passwd -- very confusing. BTW: I hacked Ascend's RADIUS to treat the password entry listed in RADIUS users file as a crypted passwd. I think all I had to to was run what the RADIUS client sent to the server through crypt() then let it compare with what RADIUS parsed from the user file. You could get clever and evan modify it to use forms like Password = crypt."cx19azPss3v97" in addition to normal clear-text ones. I don't like cleartext passwords, so I didn't bother. The code was for Ascend's RADIUS so posting it here probably wouldn't help. Just look where it does the compare with what the client (comm server) sent with what's in the users file.