Date: Wed, 10 Mar 1999 07:31:21 -0800 (PST) From: Mark Atkinson <marka@metaip.checkpoint.com> To: steve@ns1.cioe.com Cc: freebsd-stable@freebsd.org Subject: Re: PAM and RADIUS? (fwd) Message-ID: <Pine.BSF.4.05.9903100730160.22030-100000@moby.dev.metainfo.com>
next in thread | raw e-mail | index | archive | help
Since I don't subscribe to stable, I'm not sure this will make it into the mailing archive, but... On Thu, 4 Mar 1999, Steve Ames wrote: > Has anyone gotten telnet authentication working with PAM and RADIUS? > I posed this question in freebsd-isp but didn't see any takers. yes. It works on my 3.1 boxen. > By RADIUS server says that its authenticating just fine but login > is still saying denied. Frustrating. > > Anyone got a working pam.conf they can share? Let's take a peek: # Configuration file for Pluggable Authentication Modules (PAM). # # This file controls the authentication methods that login and other # utilities use. See pam(8) for a description of its format. # # Note: the final entry must say "required" -- otherwise, things don't # work quite right. If you delete the final entry, be sure to change # "sufficient" to "required" in the entry before it. # # $FreeBSD: src/etc/pam.conf,v 1.1 1998/11/20 23:20:01 jdp Exp $ # If the user can authenticate with S/Key, that's sufficient. login auth sufficient pam_skey.so # Check skey.access to make sure it is OK to let the user type in # a cleartext password. If not, then fail right here. login auth requisite pam_cleartext_pass_ok.so # If you want KerberosIV authentication, uncomment the next line: #login auth sufficient pam_kerberosIV.so try_first_pass login auth sufficient pam_radius.so # Traditional getpwnam() authentication. login auth required pam_unix.so try_first_pass > What RADIUS attributes should I be returning to make this work? On your FreeBSD boxen you also need a /etc/radius.conf, here's an example: # radius server ip shared secret time-out re-try 192.168.1.166 admin 5 1 then on your RADIUS server: service-type should be 'authenticate only' (attribute 8 has a value of 6) in your access-accept packet > Where do I find more info on PAM so I can answer such questions > myself? % man -k pam pam.conf(5), PAM(5) - Pluggable Authentication Modules pam_authenticate(3) - authenticate a user pam_chauthtok(3) - updating authentication tokens pam_fail_delay(3) - request a delay on failure pam_open_session(3), pam_open/close_session(3) - PAM session management pam_setcred(3) - set the credentials for the user pam_start(3), pam_end(3) - activating PAM pam_strerror(3) - return a textual description of a PAM error also useful: % man -k radius radius.conf(5) - RADIUS client configuration file -- Mark Atkinson Checkpoint Technologies' MetaIP Group !(wired)?(coffee++):(wired) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9903100730160.22030-100000>