Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 Jun 1998 21:31:02 -0300 (ADT)
From:      The Hermit Hacker <scrappy@hub.org>
To:        Wm Brian McCane <root@bmccane.maxbaud.net>
Cc:        John Polstra <jdp@polstra.com>, current@FreeBSD.ORG
Subject:   Re: Radius login via getty
Message-ID:  <Pine.BSF.3.96.980610212044.316B-100000@thelab.hub.org>
In-Reply-To: <Pine.BSF.3.96.980610183742.2260C-100000@bmccane.maxbaud.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 10 Jun 1998, Wm Brian McCane wrote:

> Okay, assuming PAM can do what you say it will.  Can it also be used with
> POP3, IMAP, FTP, Telnet, RLogin, etc.
	
	Yes...in fact, you can have a different PAM module used to
authenticate for the various services.  A pam.conf from one of my Solaris
2.6 machines (its pretty standard) is included below.  pam_unix.so.1 is
the 'standard' module, that authenticates against your normal password
file.  pam_lradius.so.1 is the one I use to authenticate against a radius
server running on a Novell box (my way of doing 'NDS' authentication...or
cheating it *grin*)...

	The 'password management' stuff at the bottom...there is a module
that you can get that gives you stricter restrictions on passwords...you
just plug it into the /usr/lib/security directory, and change the point in
the pam.conf file, and its there...nothing special required.

	And, you can have cascading modules...if one fails, it will go to
the next.  the radius one I have below, I modified so that one module does
what I wanted, but you can have it so that if the radius module fails, it
falls back to the pam_unix module to check again the system passwd file...

	Its a very clean system, IMHO, that Sun developed and the Linux
ppl are heavily investing in.  The 'Linux-PAM' thing is a misnomer, as
they are working at making sure it runs on more then just Linux...but its
based on the Sun stuff...

====================================================================
#ident  "@(#)pam.conf 1.19     95/11/30 SMI"
#
# PAM configuration
## Authentication management
#
login   auth required   /usr/lib/security/pam_unix.so.1 
login   auth required   /usr/lib/security/pam_dial_auth.so.1 
#
rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin  auth required   /usr/lib/security/pam_unix.so.1
#
dtlogin auth required   /usr/lib/security/pam_unix.so.1 #
rsh     auth required   /usr/lib/security/pam_rhosts_auth.so.1
other   auth sufficient /usr/lib/security/pam_lradius.so.1 debug
# 
# Account management
#
login   account required        /usr/lib/security/pam_unix.so.1 
dtlogin account required        /usr/lib/security/pam_unix.so.1 
#
other   account required        /usr/lib/security/pam_unix.so.1 
#
# Session management
#
other   session required        /usr/lib/security/pam_unix.so.1 
#
# Password management
#
other   password required       /usr/lib/security/pam_unix.so.1 
====================================================================

Marc G. Fournier                                
Systems Administrator @ hub.org 
primary: scrappy@hub.org           secondary: scrappy@{freebsd|postgresql}.org 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980610212044.316B-100000>