rlm_passwd
Passwd-like files authorization module.
FAQ
Q: Can I use rlm_passwd to authenticate user against Linux shadow password file or BSD-style master.passwd? A: Yes, but you need RADIUS running as root. Hint: use Password.Crypt attribute. You probably don’t want to use this module with FreeBSD to authenticate against system file, as it already takes care of caching passwd file entries, but it may be helpful to authenticate against alternate file.
Q: Can I use rlm_passwd to authenticate user against SAMBA smbpasswd? A: Yes, you can. Hint: use Password.LM/Password.NT attribute, set authtype = MS-CHAP.
Q: Can I use rlm_password to authenticate user against BLA-BLA-BLApasswd? A: Probably you can, if BLA-BLA-BLA stores password in some format supported by RADIUS, for example cleartext, NT/LM hashes, crypt, Netscape MD5 format. You have to set authtype to corresponding type, for example authtype = NS-MTA-MD5 for Netscape MD5.
Q: Are where are differences between rlm_passwd and rlm_unix? A: rlm_passwd supports passwd files in any format and may be used, for example, to parse FreeBSD’s master.passwd or SAMBA smbpasswd files, but it can’t perform system authentication (for example to authenticate NIS user, like rlm_unix does). If you need system authentication you need rlm_unix, if you have to authenticate against files only under BSD you need rlm_passwd, if you need to authenticate against files only under Linux, you can choose between rlm_unix and rlm_passwd, probably you will have nearly same results in performance (I hope :) ).
Q: How can I say passwd to add attribute even if it’s value is empty?
A: set ignore_empty
to no
in module configuration.
Acknowlegements
-
ZARAZA, 3APA3A@security.nnov.ru
-
Michael Chernyakhovsky mike@mgn.ru