user Passwd change
Hi List.. i'm new user of FreeRADIUS, two days ago i installed a radius server for my RAS clients. Now, my doubt is... i want all new users at the first logon can change their passwd, how can i do that? any comments? kind regards Mike __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Importing /etc/passwd file to Postgresgql DB
Am Mon, 2003-10-20 um 18.46 schrieb Blevins Carol A: > I have freeradius 0.9.1 up and running using pgsql. I would like to > import /etc/passwd into the radius db. I have manually entered a user > into the radius db and have been able to authenticate the user fine, but > am unclear as to how I can import the passwd file in the db. Any help > would be appreciated. I have looked high and low on the mailing list and > google. > > thanx > Carol B. How many users are present in /etc/passwd? Either add them manually or write a script (which shouldn't be that hard in perl). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Importing /etc/passwd file to Postgresgql DB
I have freeradius 0.9.1 up and running using pgsql. I would like to import /etc/passwd into the radius db. I have manually entered a user into the radius db and have been able to authenticate the user fine, but am unclear as to how I can import the passwd file in the db. Any help would be appreciated. I have looked high and low on the mailing list and google. thanx Carol B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apache + mod_auth_pam + pam_auth_radius does not work unless RADIUS user exists in local passwd file.
[EMAIL PROTECTED] wrote: > The /etc/pam.d/httpd file contains: > > auth required pam_auth_radius.so > > This has worked wonderful with Squid on other machines. > > With Apache, the authentication is working fine if the RADIUS user exists > as a local user as well. ... > Require valid-user Don't do that. "valid-user" means "valid local user". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Apache + mod_auth_pam + pam_auth_radius does not work unless RADIUS user exists in local passwd file.
Dear all, I am trying to set up a reverse proxy with Apache 2.0.47 using mod_auth_pam. PAM is configured to use pam_auth_radius in /etc/pam.d/httpd User shall be authenticated against a remote RADIUS server using pam_auth_radius.so The /etc/pam.d/httpd file contains: auth required pam_auth_radius.so This has worked wonderful with Squid on other machines. With Apache, the authentication is working fine if the RADIUS user exists as a local user as well. As soon as I want to authenticate a user, that exists only on the remote RADIUS server, the authentication fails. In httpd.conf, I activated the PAM authentication by loading the module mod_auth_pam.so and enabling it via AllowOverride AuthConfig AuthPAM_Enabled on AuthName "RADIUS authentication" AuthType "basic" Require valid-user Apache's error log says: "invalid account: User not known to the underlying authentication module" What did I forget? Any help would be highly appreciated since I'm completely stuck at this point. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Include sql.conf crash, unable to open /etc/passwd, /etc/group
Hello all. I have a install that if I include the sql.conf it dies with HASH: Reinitializing hash structures and lists for caching... HASH: Stored 93 entries from (null) rlm_unix: Can't open file group file (null): Bad address zsh: segmentation fault (core dumped) /usr/local/sbin/radiusd -X [EMAIL PROTECTED] ('tty') /usr/local/etc -> If I disallow the include it load's and use's the file db with no problems. Any ideas??? I am stumped. Jeromie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expire both in users and passwd
Hello, I'm trying to figure out if there is a way to expire an account like so: I have my users file, with a default entry that most users use (auth-type system) so they authenticate via the passwd/shadow file. I have other users with subnets or multiple logons that authenticate directly in the users file. I would like it where I can have a corresponding entry in the passwd/shadow file, and if that expires then the users entry is expired as well. Does this sound logical? Is it something simple that my mind just isn't putting together the right way? Thanks, Bryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Called-Station-ID to different passwd files
On Friday 17 January 2003 05:08, Alan DeKok wrote: > Craig <[EMAIL PROTECTED]> wrote: > > I am trying to set up a single freeradius server (ver 0.8.1) in such > > a way that when a person dials eg. > > > > phone-number-1 (for ISP1) they get authenticated against password-file-1, > > > > phone-number-2 (for ISP2) they get authenticated against password-file-2 > > etc. > > > > I don't want users to have to add a realm name to their login, unless > > they are roaming, in which case it would need to work with that as > > well. > > Then your best bet is to *always* use realms. Set up the realsm > file for roaming like you would do normally, then in the 'hints' file, > do: > > DEFAULT Called-Station-Id = "5551212" > Realm = "ISP-1" > > DEFAULT Called-Station-Id = "555" > Realm = "ISP-2" > > > When they dial in to those numbers *without* a realm, then the realm > information will be added by the 'hints' file. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html Thanks, that solves the phone number problem but I still don't know how to get Realm = "ISP-1" to authenticate against password-file-1 Realm = "ISP-2" to authenticate against password-file-2 In the radiusd.conf file I was thinking perhaps of using the passwd module, with a definition for each ISP like (haven't worked the format out yet) passwd ISP1 { filename = /etc/password-file-1 format="*User-Name::LM-Password: UNIX-Password:SMB-Account-CTRL-TEXT::" authtype = PAP hashsize = 100 (I am uncertain of the hashsize behaviour. Does the hash ever refresh itself, or do you need to restart the server?) ignorenislike = no allowmultiplekeys = no } in the passwd module region and then defining each in the authorize { preprocess chap mschap suffix files ISP1(is this the right spot?) ISP2 } block. Will this work correctly? Also how do I set this up in the user file? Something like DEFAULT Realm == "ISP1", Auth-Type := ISP1 Finally, is there a GUI for something like radclient? The O'Reilly Radius book suggested some windows program (NTRadPing), but I'm not running windows. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Called-Station-ID to different passwd files
Craig <[EMAIL PROTECTED]> wrote: > I am trying to set up a single freeradius server (ver 0.8.1) in such > a way that when a person dials eg. > > phone-number-1 (for ISP1) they get authenticated against password-file-1, > > phone-number-2 (for ISP2) they get authenticated against password-file-2 > etc. > > I don't want users to have to add a realm name to their login, unless > they are roaming, in which case it would need to work with that as > well. Then your best bet is to *always* use realms. Set up the realsm file for roaming like you would do normally, then in the 'hints' file, do: DEFAULT Called-Station-Id = "5551212" Realm = "ISP-1" DEFAULT Called-Station-Id = "555" Realm = "ISP-2" When they dial in to those numbers *without* a realm, then the realm information will be added by the 'hints' file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different Called-Station-ID to different passwd files
Hi, I am trying to set up a single freeradius server (ver 0.8.1) in such a way that when a person dials eg. phone-number-1 (for ISP1) they get authenticated against password-file-1, phone-number-2 (for ISP2) they get authenticated against password-file-2 etc. I don't want users to have to add a realm name to their login, unless they are roaming, in which case it would need to work with that as well. How could I set up such a server? Craig. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MD5 passwd ecryption (was Re: Error about:rlm_eap_md5)
Margrete Raaum <[EMAIL PROTECTED]> wrote:> We are migrating to LDAP. I am trying to get EAP/MD5 to work with LDAP. > Of course there are no clear text passwords in the LDAP base as that would > result in clear text passwords across the network, they are MD5-encrypted. > The passwords don't really have to be in clear text, do they? For EAP, yes, they do. The solution to passwords going across the netwrok from your LDAP server in clear-text is to encrypt the connection to the LDAP server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MD5 passwd ecryption (was Re: Error about:rlm_eap_md5)
On Tue, 7 Jan 2003, Shawn Adams wrote: >I guess my big dissapointent is the user password is in clear text in >the /etc/raddb/users.conf file. Which is just another administrative >task to maintain. We are migrating to LDAP. I am trying to get EAP/MD5 to work with LDAP. Of course there are no clear text passwords in the LDAP base as that would result in clear text passwords across the network, they are MD5-encrypted. The passwords don't really have to be in clear text, do they? Margrete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd and users file
Bogdan Rosu <[EMAIL PROTECTED]> wrote: > Ok i managed to get it on it's feet, now what i am asking is > is there a way/script to add users with the dial_upadmin frontend > (username / pass) but then to have them in the users file aswell > in the systems passwd/shadow so then i cand use the System Auth? Huh? If the users are listed in /etc/passwd, then you don't have to add them to the 'users' file. Read the default 'users' file shipped with the server. It authenticates *anyone* in /etc/passwd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd and users file
Ok i managed to get it on it's feet, now what i am asking is is there a way/script to add users with the dial_upadmin frontend (username / pass) but then to have them in the users file aswell in the systems passwd/shadow so then i cand use the System Auth? Dunno if i spelled that corectly, of if it makes sense, anyhow the script that comes with freeradius to add users from the users file to mysql doesent work for me :(. Reason: inserting "robcon" into usergroup table as member of "dynamic" DBD::mysql::db do failed: You have an error in your SQL syntax near '`usergroup` SET `UserName`='robcon',`GroupName`='dynamic'' at line 1 at ./users2mysql.pl line 98, chunk 837. inserting " Simultaneous-Use", "1" for "robcon" in radcheck ... Thnx Bogdan On Fri, 13 Dec 2002, Alan DeKok wrote: > Bogdan Rosu <[EMAIL PROTECTED]> wrote: > > Ok i'm new to this im sittig here for the 2nd day with my teeth in > > deep radius... compiled installed on a Red Hat 6.1 > > i've set up the database, also dial up admin.. > > in the past ive used radius + pgsql and some home made scripts > > but thats history since postgres gave me a lot o headache. > > If you're not familiar with RADIUS, then don't set up a complicated > configuration at the start. Read the FAQ, follow the examples, and > work from there. > > > What i have is an /etc/passwd full of users and an old radius user > > file that looks like this : > > > > acighi Auth-Type = System > > Service-Type = Framed-User, > > Framed-Protocol = PPP > > That looks somewhat reasonable. > > > whats the best way to aproach this, > > ive been failing at doing this... > > And the output of debugging mode is... ? > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd and users file
Bogdan Rosu <[EMAIL PROTECTED]> wrote: > Ok i'm new to this im sittig here for the 2nd day with my teeth in > deep radius... compiled installed on a Red Hat 6.1 > i've set up the database, also dial up admin.. > in the past ive used radius + pgsql and some home made scripts > but thats history since postgres gave me a lot o headache. If you're not familiar with RADIUS, then don't set up a complicated configuration at the start. Read the FAQ, follow the examples, and work from there. > What i have is an /etc/passwd full of users and an old radius user > file that looks like this : > > acighi Auth-Type = System > Service-Type = Framed-User, > Framed-Protocol = PPP That looks somewhat reasonable. > whats the best way to aproach this, > ive been failing at doing this... And the output of debugging mode is... ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/etc/passwd and users file
Ok i'm new to this im sittig here for the 2nd day with my teeth in deep radius... compiled installed on a Red Hat 6.1 i've set up the database, also dial up admin.. in the past ive used radius + pgsql and some home made scripts but thats history since postgres gave me a lot o headache. What i have is an /etc/passwd full of users and an old radius user file that looks like this : acighi Auth-Type = System Service-Type = Framed-User, Framed-Protocol = PPP adriana.nebela Auth-Type = System Service-Type = Framed-User, Framed-Protocol = PPP adrianturcasAuth-Type = System Service-Type = Framed-User, Framed-Protocol = PPP I want to port all these users onto freeradius (latest), and be able to account/manage them with dialup_admin + mysql whats the best way to aproach this, ive been failing at doing this... thnx Bogdan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (2) Can LDAP be used to authenticate /etc/passwd ?
05-Dec-02 at 20:23, Sarick ([EMAIL PROTECTED]) wrote : > Hi Hecker, > I do know that EAP-MD5 is only capable of authenticating with plain text > info. > And now I know that to authenticate with the accounts on Linux server will > need additional database setup for users. > It is impossible to obtain user info from original Linux server. By copying /etc/passwd and /etc/shadow onto another machine with the same password hash mechanism, you can have the users on another system. Otherwise, you can get the usernames from the /etc/passwd file and you have to recreate passwords. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (2) Can LDAP be used to authenticate /etc/passwd ?
Hi Hecker, I do know that EAP-MD5 is only capable of authenticating with plain text info. And now I know that to authenticate with the accounts on Linux server will need additional database setup for users. It is impossible to obtain user info from original Linux server. Thanks Sarick - Original Message - From: "Artur Hecker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 05, 2002 7:20 PM Subject: Re: (2) Can LDAP be used to authenticate /etc/passwd ? > one more time: eap/md5 will not (can not) work with the information > available in the /etc/passwd and shadow. > > > > Sarick wrote: > > Hi, > > Thanks all of the advice. Now I know what LDAP does. :-) > > Basically, my ambition is to make a 802.1x EAP-MD5 authentication. > > And the users info required for authentication (i.e., username and passwd) > > can correspond to the accounts on my Linux server. > > Therefore, I won't need to key in all of the users info again but just > > obtained from Linux. (my original thought is to obtain from /etc/passwd and > > /etc/shadow) > > But I have no idea whether I can do it or how I can do it. > > Can I just convert the /etc/passwd and /etc/shadow into LDAP database? How? > > Or it is no way to do this? > > > > Sarick > > > > - Original Message - > > From: "Artur Hecker" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, December 05, 2002 8:56 AM > > Subject: Re: (2) Can LDAP be used to authenticate /etc/passwd ? > > > > > > > >>hi > >> > >>evren: all that is useless - EAP-MD5 will need clear-text passwords. > >>/etc/passwd or shadow or whatsoever only stores a hash of it. it is not > >>going to work anyway. > >> > >>a propos, sarick: the original question is a big strange mixture of > >>available incompatible techniques. you store your radius-related users > >>EITHER in the LDAP OR in the /etc/passwd OR somewhere else, and not just > >>somewhere. an LDAP database is NOT a text file which /etc/passwd > >>obviously is. and ming-bogglingly enough all this has nothing to do with > >>radius! and even more confusing: the EAP-MD5 is pretty much CHAP in its > >>centralized EAP form and CHAP needs clear-text passwords and exactly > >>those are actually hashed (=not clear-text) in the file you are talking > >>about. > >> > >>what the hell do you want to do? > >> > >> > >>ciao > >>artur > >> > >> > >>ps your question basically was: "can i buy a cadillac that knows how to > >>drive a chevy? and can all this fly to the moon?" > >> > >> > >> > >> > >>Evren Yurtesen wrote: > >> > >>>or actually if you can keep the /etc/passwd /etc/shadow syncronised with > >>>LDAP that would also do the trick. Perhaps with a script you can convert > >>>/etc/passwd /etc/shadow into LDAP or only the changed accounts etc. or > >>>even syncronise the add/remove user functions both in LDAP and in system > >>>files. > >>> > >>>Evren > >>> > >>>On Wed, 4 Dec 2002, Simon White wrote: > >>> > >>> > >>>>04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : > >>>> > >>>>> > >>>>>Hi Simon, > >>>>>- Original Message - > >>>>>From: "Simon White" <[EMAIL PROTECTED]> > >>>>>To: <[EMAIL PROTECTED]> > >>>>>Sent: Wednesday, December 04, 2002 7:23 PM > >>>>>Subject: Re: Can LDAP be used to authenticate /etc/passwd ? > >>>>> > >>>>> > >>>>> > >>>>>>04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : > >>>>>> > >>>>>>>Hi all, > >>>>>>>Can the LDAP be used to authenticate a user whose username and > >>>>>> > > password > > > >>>>>is > >>>>> > >>>>>>>stored in /etc/passwd?? > >>>>>> > >>>>>>How is the LDAP server going to read the username in /etc/passwd? > >>>>>> > >>>>>>Passwords are not stored in /etc/passwd, just usernames. > >>>>>>Passwords are usually in /etc/shadow, YMMV > >>>>> > >>>>>yes. My question is, can I use LDAP to authentic
Re: (2) Can LDAP be used to authenticate /etc/passwd ?
one more time: eap/md5 will not (can not) work with the information available in the /etc/passwd and shadow. Sarick wrote: Hi, Thanks all of the advice. Now I know what LDAP does. :-) Basically, my ambition is to make a 802.1x EAP-MD5 authentication. And the users info required for authentication (i.e., username and passwd) can correspond to the accounts on my Linux server. Therefore, I won't need to key in all of the users info again but just obtained from Linux. (my original thought is to obtain from /etc/passwd and /etc/shadow) But I have no idea whether I can do it or how I can do it. Can I just convert the /etc/passwd and /etc/shadow into LDAP database? How? Or it is no way to do this? Sarick - Original Message - From: "Artur Hecker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 05, 2002 8:56 AM Subject: Re: (2) Can LDAP be used to authenticate /etc/passwd ? hi evren: all that is useless - EAP-MD5 will need clear-text passwords. /etc/passwd or shadow or whatsoever only stores a hash of it. it is not going to work anyway. a propos, sarick: the original question is a big strange mixture of available incompatible techniques. you store your radius-related users EITHER in the LDAP OR in the /etc/passwd OR somewhere else, and not just somewhere. an LDAP database is NOT a text file which /etc/passwd obviously is. and ming-bogglingly enough all this has nothing to do with radius! and even more confusing: the EAP-MD5 is pretty much CHAP in its centralized EAP form and CHAP needs clear-text passwords and exactly those are actually hashed (=not clear-text) in the file you are talking about. what the hell do you want to do? ciao artur ps your question basically was: "can i buy a cadillac that knows how to drive a chevy? and can all this fly to the moon?" Evren Yurtesen wrote: or actually if you can keep the /etc/passwd /etc/shadow syncronised with LDAP that would also do the trick. Perhaps with a script you can convert /etc/passwd /etc/shadow into LDAP or only the changed accounts etc. or even syncronise the add/remove user functions both in LDAP and in system files. Evren On Wed, 4 Dec 2002, Simon White wrote: 04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : Hi Simon, - Original Message - From: "Simon White" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 04, 2002 7:23 PM Subject: Re: Can LDAP be used to authenticate /etc/passwd ? 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : Hi all, Can the LDAP be used to authenticate a user whose username and password is stored in /etc/passwd?? How is the LDAP server going to read the username in /etc/passwd? Passwords are not stored in /etc/passwd, just usernames. Passwords are usually in /etc/shadow, YMMV yes. My question is, can I use LDAP to authenticate the users who having the accounts on Linux , with EAP-MD5 authentication? That is, to read the usernames from /etc/passwd and passwords from /etc/shadow. How? You can't. You can store the hashes that are in shadow in LDAP probably. I think, however, that your approach is probably wrong. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (2) Can LDAP be used to authenticate /etc/passwd ?
Hi, Thanks all of the advice. Now I know what LDAP does. :-) Basically, my ambition is to make a 802.1x EAP-MD5 authentication. And the users info required for authentication (i.e., username and passwd) can correspond to the accounts on my Linux server. Therefore, I won't need to key in all of the users info again but just obtained from Linux. (my original thought is to obtain from /etc/passwd and /etc/shadow) But I have no idea whether I can do it or how I can do it. Can I just convert the /etc/passwd and /etc/shadow into LDAP database? How? Or it is no way to do this? Sarick - Original Message - From: "Artur Hecker" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 05, 2002 8:56 AM Subject: Re: (2) Can LDAP be used to authenticate /etc/passwd ? > hi > > evren: all that is useless - EAP-MD5 will need clear-text passwords. > /etc/passwd or shadow or whatsoever only stores a hash of it. it is not > going to work anyway. > > a propos, sarick: the original question is a big strange mixture of > available incompatible techniques. you store your radius-related users > EITHER in the LDAP OR in the /etc/passwd OR somewhere else, and not just > somewhere. an LDAP database is NOT a text file which /etc/passwd > obviously is. and ming-bogglingly enough all this has nothing to do with > radius! and even more confusing: the EAP-MD5 is pretty much CHAP in its > centralized EAP form and CHAP needs clear-text passwords and exactly > those are actually hashed (=not clear-text) in the file you are talking > about. > > what the hell do you want to do? > > > ciao > artur > > > ps your question basically was: "can i buy a cadillac that knows how to > drive a chevy? and can all this fly to the moon?" > > > > > Evren Yurtesen wrote: > > > > or actually if you can keep the /etc/passwd /etc/shadow syncronised with > > LDAP that would also do the trick. Perhaps with a script you can convert > > /etc/passwd /etc/shadow into LDAP or only the changed accounts etc. or > > even syncronise the add/remove user functions both in LDAP and in system > > files. > > > > Evren > > > > On Wed, 4 Dec 2002, Simon White wrote: > > > > > 04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : > > > > > > > > > > > > Hi Simon, > > > > - Original Message - > > > > From: "Simon White" <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Sent: Wednesday, December 04, 2002 7:23 PM > > > > Subject: Re: Can LDAP be used to authenticate /etc/passwd ? > > > > > > > > > > > > > 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : > > > > > > Hi all, > > > > > > Can the LDAP be used to authenticate a user whose username and password > > > > is > > > > > > stored in /etc/passwd?? > > > > > > > > > > How is the LDAP server going to read the username in /etc/passwd? > > > > > > > > > > Passwords are not stored in /etc/passwd, just usernames. > > > > > Passwords are usually in /etc/shadow, YMMV > > > > yes. My question is, can I use LDAP to authenticate the users who having the > > > > accounts on Linux , with EAP-MD5 authentication? > > > > That is, to read the usernames from /etc/passwd and passwords from > > > > /etc/shadow. > > > > How? > > > > > > You can't. You can store the hashes that are in shadow in LDAP probably. > > > I think, however, that your approach is probably wrong. > > > > > > -- > > > |-Simon White, Internet Services Manager, Certified Check Point CCSA. > > > |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. > > > |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. > > > |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 > > > > > > - > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > -- > Artur Hecker > artur[at]hecker.info > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (2) Can LDAP be used to authenticate /etc/passwd ?
hi evren: all that is useless - EAP-MD5 will need clear-text passwords. /etc/passwd or shadow or whatsoever only stores a hash of it. it is not going to work anyway. a propos, sarick: the original question is a big strange mixture of available incompatible techniques. you store your radius-related users EITHER in the LDAP OR in the /etc/passwd OR somewhere else, and not just somewhere. an LDAP database is NOT a text file which /etc/passwd obviously is. and ming-bogglingly enough all this has nothing to do with radius! and even more confusing: the EAP-MD5 is pretty much CHAP in its centralized EAP form and CHAP needs clear-text passwords and exactly those are actually hashed (=not clear-text) in the file you are talking about. what the hell do you want to do? ciao artur ps your question basically was: "can i buy a cadillac that knows how to drive a chevy? and can all this fly to the moon?" Evren Yurtesen wrote: > > or actually if you can keep the /etc/passwd /etc/shadow syncronised with > LDAP that would also do the trick. Perhaps with a script you can convert > /etc/passwd /etc/shadow into LDAP or only the changed accounts etc. or > even syncronise the add/remove user functions both in LDAP and in system > files. > > Evren > > On Wed, 4 Dec 2002, Simon White wrote: > > > 04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : > > > > > > > > > Hi Simon, > > > - Original Message - > > > From: "Simon White" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Wednesday, December 04, 2002 7:23 PM > > > Subject: Re: Can LDAP be used to authenticate /etc/passwd ? > > > > > > > > > > 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : > > > > > Hi all, > > > > > Can the LDAP be used to authenticate a user whose username and password > > > is > > > > > stored in /etc/passwd?? > > > > > > > > How is the LDAP server going to read the username in /etc/passwd? > > > > > > > > Passwords are not stored in /etc/passwd, just usernames. > > > > Passwords are usually in /etc/shadow, YMMV > > > yes. My question is, can I use LDAP to authenticate the users who having the > > > accounts on Linux , with EAP-MD5 authentication? > > > That is, to read the usernames from /etc/passwd and passwords from > > > /etc/shadow. > > > How? > > > > You can't. You can store the hashes that are in shadow in LDAP probably. > > I think, however, that your approach is probably wrong. > > > > -- > > |-Simon White, Internet Services Manager, Certified Check Point CCSA. > > |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. > > |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. > > |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can LDAP be used to authenticate /etc/passwd ?
"jmc_cs" <[EMAIL PROTECTED]> wrote: > yes. My question is, can I use LDAP to authenticate the users who having the > accounts on Linux , with EAP-MD5 authentication? Your question makes no sense. LDAP is a database. It doesn't do authentication. > That is, to read the usernames from /etc/passwd and passwords from > /etc/shadow. Uh... the server comes configured to do that. Did you try it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho does not show nas short name + additional question about external passwd check
"Kliment Toshkov" <[EMAIL PROTECTED]> wrote: > > Exec-Program-Wait should work... > Well, it works fine and passess AV pairs exactly as before. Then I don't understand why the external check fails... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:(2) Can LDAP be used to authenticate /etc/passwd ?
or actually if you can keep the /etc/passwd /etc/shadow syncronised with LDAP that would also do the trick. Perhaps with a script you can convert /etc/passwd /etc/shadow into LDAP or only the changed accounts etc. or even syncronise the add/remove user functions both in LDAP and in system files. Evren On Wed, 4 Dec 2002, Simon White wrote: > 04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : > > > > > > Hi Simon, > > - Original Message - > > From: "Simon White" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, December 04, 2002 7:23 PM > > Subject: Re: Can LDAP be used to authenticate /etc/passwd ? > > > > > > > 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : > > > > Hi all, > > > > Can the LDAP be used to authenticate a user whose username and password > > is > > > > stored in /etc/passwd?? > > > > > > How is the LDAP server going to read the username in /etc/passwd? > > > > > > Passwords are not stored in /etc/passwd, just usernames. > > > Passwords are usually in /etc/shadow, YMMV > > yes. My question is, can I use LDAP to authenticate the users who having the > > accounts on Linux , with EAP-MD5 authentication? > > That is, to read the usernames from /etc/passwd and passwords from > > /etc/shadow. > > How? > > You can't. You can store the hashes that are in shadow in LDAP probably. > I think, however, that your approach is probably wrong. > > -- > |-Simon White, Internet Services Manager, Certified Check Point CCSA. > |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. > |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. > |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can LDAP be used to authenticate /etc/passwd ?
You can perhaps use some kind of script to transfer /etc/passwd and /etc/shadow into LDAP and then use PAM to authenticate all your linux users from LDAP database. Also when you add new users you can add to ldap and create directories in linux (with a script perhaps). This way you can get rid of the whole /etc/passwd and /etc/shadow files at the same time so you dont have to deal with 2 things. But then you should find a sendmail which is patched to support LDAP,PAM etc. and your pop3,imap servers should support PAM or LDAP too also all your programs like apache etc. should somehow find users from LDAP. I tried to do this once but then I thought what the hell, too much work for having an LDAP database. FreeBSD already keeps users in DB so this wont improve performance at all. That was also when I decided LDAP sucks little bit =) Although it is easier to reach to a database like LDAP or MySQL from anywhere you like. Evren On Wed, 4 Dec 2002, Simon White wrote: > 04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : > > > > > > Hi Simon, > > - Original Message - > > From: "Simon White" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, December 04, 2002 7:23 PM > > Subject: Re: Can LDAP be used to authenticate /etc/passwd ? > > > > > > > 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : > > > > Hi all, > > > > Can the LDAP be used to authenticate a user whose username and password > > is > > > > stored in /etc/passwd?? > > > > > > How is the LDAP server going to read the username in /etc/passwd? > > > > > > Passwords are not stored in /etc/passwd, just usernames. > > > Passwords are usually in /etc/shadow, YMMV > > yes. My question is, can I use LDAP to authenticate the users who having the > > accounts on Linux , with EAP-MD5 authentication? > > That is, to read the usernames from /etc/passwd and passwords from > > /etc/shadow. > > How? > > You can't. You can store the hashes that are in shadow in LDAP probably. > I think, however, that your approach is probably wrong. > > -- > |-Simon White, Internet Services Manager, Certified Check Point CCSA. > |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. > |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. > |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can LDAP be used to authenticate /etc/passwd ?
04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : > > > Hi Simon, > - Original Message - > From: "Simon White" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, December 04, 2002 7:23 PM > Subject: Re: Can LDAP be used to authenticate /etc/passwd ? > > > > 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : > > > Hi all, > > > Can the LDAP be used to authenticate a user whose username and password > is > > > stored in /etc/passwd?? > > > > How is the LDAP server going to read the username in /etc/passwd? > > > > Passwords are not stored in /etc/passwd, just usernames. > > Passwords are usually in /etc/shadow, YMMV > yes. My question is, can I use LDAP to authenticate the users who having the > accounts on Linux , with EAP-MD5 authentication? > That is, to read the usernames from /etc/passwd and passwords from > /etc/shadow. > How? You can't. You can store the hashes that are in shadow in LDAP probably. I think, however, that your approach is probably wrong. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can LDAP be used to authenticate /etc/passwd ?
Hi Simon, - Original Message - From: "Simon White" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, December 04, 2002 7:23 PM Subject: Re: Can LDAP be used to authenticate /etc/passwd ? > 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : > > Hi all, > > Can the LDAP be used to authenticate a user whose username and password is > > stored in /etc/passwd?? > > How is the LDAP server going to read the username in /etc/passwd? > > Passwords are not stored in /etc/passwd, just usernames. > Passwords are usually in /etc/shadow, YMMV yes. My question is, can I use LDAP to authenticate the users who having the accounts on Linux , with EAP-MD5 authentication? That is, to read the usernames from /etc/passwd and passwords from /etc/shadow. How? Sarick > > -- > |-Simon White, Internet Services Manager, Certified Check Point CCSA. > |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. > |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. > |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Can LDAP be used to authenticate /etc/passwd ?
> Hi all, > Can the LDAP be used to authenticate a user whose username and password is > stored in /etc/passwd?? > And can this authentication use EAP-MD5 ? > Please read the file doc/aaa.txt about the difference between Authorization and Authentication, and then rephrase your question. Yours, Hans -- Kabelfoon BV Phone: +31 174 615430 PO Box 45 Fax: +31 174 623860 2670 AA NaaldwijkWWW: http://www.kabelfoon.nl/ Netherlands Email: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can LDAP be used to authenticate /etc/passwd ?
04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : > Hi all, > Can the LDAP be used to authenticate a user whose username and password is > stored in /etc/passwd?? How is the LDAP server going to read the username in /etc/passwd? Passwords are not stored in /etc/passwd, just usernames. Passwords are usually in /etc/shadow, YMMV -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can LDAP be used to authenticate /etc/passwd ?
Hi all, Can the LDAP be used to authenticate a user whose username and password is stored in /etc/passwd?? And can this authentication use EAP-MD5 ? Regards Sarick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho does not show nas short name + additional question about external passwd check
> > Anyway, I have another question: After upgrading 0.5 to 0.8 I have kept all > > configuration files. First there was an error reported about acct_users, > > some error with syntax ?! I have fixed it by editing the file and saving it. > > Knowing the error would help to fix the problem. First error was... something about missing something :> > > Most important thing for me is that users whose accounts are in external > > password/shadow files are not allowed access anymore with reason: Access > > denied (external check failed). > > Hmm... Most important for me is what you answered with "Hmm". Please help - configuration is not altered in any was but it does not work anymore (except SQL authorization). > > Maybe there is something changed in 0.8 I am not aware of? > > Exec-Program-Wait should work... Well, it works fine and passess AV pairs exactly as before. --- Technical Director of VIKET NetWorks web/mail: www.viket.net; [EMAIL PROTECTED] gsm/gsm2: +359 88 803280; +359 87 800743 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho does not show nas short name + additional question about external passwd check
"Kliment Toshkov" <[EMAIL PROTECTED]> wrote: > Anyway, I have another question: After upgrading 0.5 to 0.8 I have kept all > configuration files. First there was an error reported about acct_users, > some error with syntax ?! I have fixed it by editing the file and saving it. Knowing the error would help to fix the problem. > Most important thing for me is that users whose accounts are in external > password/shadow files are not allowed access anymore with reason: Access > denied (external check failed). Hmm... > Maybe there is something changed in 0.8 I am not aware of? Exec-Program-Wait should work... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho does not show nas short name + additional question about external passwd check
Information about each NAS is stored in SQL database. All scripts supporting that large ISP are total size of 10KB. Not a lot of work at least for me. Anyway, I have another question: After upgrading 0.5 to 0.8 I have kept all configuration files. First there was an error reported about acct_users, some error with syntax ?! I have fixed it by editing the file and saving it. Most important thing for me is that users whose accounts are in external password/shadow files are not allowed access anymore with reason: Access denied (external check failed). (please keep in mind that this configuration works with 0.5 for 7 months) Users file is as follows: marty Auth-Type := System Fall-Through = 1 [lots of old accounts not included in SQL db] DEFAULT Service-Type = Framed-User, Framed-Protocol = PPP, Framed-MTU = 1500, Framed-Routing = 0, Framed-Compression = Van-Jacobson-TCP-IP, Idle-Timeout = 3600, Exec-Program-Wait = "/usr/local/icard/auth-start %u %n %{Called-Station-Id}", Fall-Through = 1 Maybe there is something changed in 0.8 I am not aware of? shadow, password and group files location is described in unix {} module of radiusd.conf server is RedHat 7.x (or something similar :>), MySQL 3.23.49a (which is not important regarding this question). Please advise. PS. Alan, I choosed billing in realtime because this it's more accurate handling sesions which cover more than one time zone and reduces the possibility of data loss (hardware failure, etc.) --- Technical Director of VIKET NetWorks web/mail: www.viket.net; [EMAIL PROTECTED] gsm/gsm2: +359 88 803280; +359 87 800743 - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, December 03, 2002 7:16 PM Subject: Re: radwho does not show nas short name > "Kliment Toshkov" <[EMAIL PROTECTED]> wrote: > > 60 NASes located in diferent cities across country. Different time zones and > > discounts for every NAS. > > For me billing in realtime (every minute) based on location (NAS) is best > > solution. > > It's a lot of work, and completely unnecessary. You can put the > accounting information from each NAS into a NAS-specific 'detail' > file, and then process that every hour or so. It's *exactly* the same > as what you're doing now, but a LOT less work. > > There's NO need to do accounting every minute. > > Alan DeKok. > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use unix /etc/passwd to authenticate users through AP ?
"Yi-Wen Liu" <[EMAIL PROTECTED]> wrote: > I want to use unix account (/etc/passwd) to authenticate users. But = > I don't know how to generate=20 > packets with [Auth-Type :=3D System] from user. You don't. The default configuration shipped with the server makes it authenticate against the passwd file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: Problem: authenticate with /etc/passwd users
Dear Sarick, Any challenge-response based authentication can't work with crypted password. One and only exception is NT password which can be used for MS-CHAP v1/2 authentication. --Monday, November 25, 2002, 2:07:32 PM, you wrote to [EMAIL PROTECTED]: S> Hi, firstly thanks your quick response. :-) S> - Original Message - S> From: "3APA3A" <[EMAIL PROTECTED]> S> To: "Sarick" <[EMAIL PROTECTED]> S> Cc: <[EMAIL PROTECTED]> S> Sent: Monday, November 25, 2002 6:50 PM S> Subject: Re[2]: Problem: authenticate with /etc/passwd users >> Dear Sarick, >> >> In your case problem is you try to use crypyted passwords with EAP/md5. >> For EAP/md5 you need cleartext password. >> S> So, what should I do if I want to use the crypted passwords? S> Should I make the rlm_passwd module? S> How should I config it? S> My ambition is to make a 802.1x authentication. Authentication messages from S> authenticating S> supplicant (client) be in EAP format (I use /EAP-MD5). S> And user-names and user-passwords can be derived from the /etc/passwd file. S> Therefore, I don't have to maintain S> the ./raddb/users file too constantly. S> Below is my radiusd.conf for EAP section:-- S> # For all EAP related authentications S> eap { S> # Invoke the default supported EAP type when S> # EAP-Identity response is received S> default_eap_type = md5 S> # Default expiry time to clean the EAP list, S> # It is maintained to co-relate the S> # EAP-response for each EAP-request sent. S> timer_expire = 60 S> # Supported EAP-types S> md5 { S> } S> #Skip S> ## EAP-TLS is highly experimental EAP-Type at the moment. S> # Please give feedback on the mailing list. S> #tls { S> # private_key_password = password S> # private_key_file = /path/filename S> mschap { S> # Location of the SAMBA passwd file S> # passwd = /etc/smbpasswd S> # authtype value, if present, will be used S> # to overwrite (or add) Auth-Type during S> # authorization. Normally should be MS-CHAP S> authtype = MS-CHAP -- ~/ZARAZA Íåïðèÿòíîñòè íà÷íóòñÿ â âîñåìü. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to use unix /etc/passwd to authenticate users through AP ?
Hi: I want to use unix account (/etc/passwd) to authenticate users. But I don't know how to generate packets with [Auth-Type := System] from user. This is my configuration files: -- radiusd.conf unix { #. # Cache /etc/passwd, /etc/shadow, and /etc/group # allowed values: {no, yes} cache = yes # # Reload the cache every 600 seconds (10mins). 0 to disable. cache_reload = 600 #. # This is required for some systems, like FreeBSD, # and Mac OSX. # passwd = /etc/passwd shadow = /etc/shadow group = /etc/group #... radwtmp = ${logdir}/radwtmp} - users- DEFAULT Auth-Type := System Fall-Through = Yes Users are mobile nodes and a NAS is an AP in our testbed. Please help me. Thanks a lot! Tim Liu Regards
Re: Re[2]: Problem: authenticate with /etc/passwd users
Hi, firstly thanks your quick response. :-) - Original Message - From: "3APA3A" <[EMAIL PROTECTED]> To: "Sarick" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, November 25, 2002 6:50 PM Subject: Re[2]: Problem: authenticate with /etc/passwd users > Dear Sarick, > > In your case problem is you try to use crypyted passwords with EAP/md5. > For EAP/md5 you need cleartext password. > So, what should I do if I want to use the crypted passwords? Should I make the rlm_passwd module? How should I config it? My ambition is to make a 802.1x authentication. Authentication messages from authenticating supplicant (client) be in EAP format (I use /EAP-MD5). And user-names and user-passwords can be derived from the /etc/passwd file. Therefore, I don't have to maintain the ./raddb/users file too constantly. Below is my radiusd.conf for EAP section:-- # For all EAP related authentications eap { # Invoke the default supported EAP type when # EAP-Identity response is received default_eap_type = md5 # Default expiry time to clean the EAP list, # It is maintained to co-relate the # EAP-response for each EAP-request sent. timer_expire = 60 # Supported EAP-types md5 { } #Skip ## EAP-TLS is highly experimental EAP-Type at the moment. # Please give feedback on the mailing list. #tls { # private_key_password = password # private_key_file = /path/filename mschap { # Location of the SAMBA passwd file # passwd = /etc/smbpasswd # authtype value, if present, will be used # to overwrite (or add) Auth-Type during # authorization. Normally should be MS-CHAP authtype = MS-CHAP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Problem: authenticate with /etc/passwd users
Dear Sarick, In your case problem is you try to use crypyted passwords with EAP/md5. For EAP/md5 you need cleartext password. --Monday, November 25, 2002, 1:30:10 PM, you wrote to [EMAIL PROTECTED]: S> Hi: S> I am using Linux RedHat 7.3. S> Did I make the configuration wrong? S> Regards S> Sarick S> - Original Message - S> From: "3APA3A" <[EMAIL PROTECTED]> S> To: "Sarick" <[EMAIL PROTECTED]> S> Cc: <[EMAIL PROTECTED]> S> Sent: Monday, November 25, 2002 6:15 PM S> Subject: Re: Problem: authenticate with /etc/passwd users >> Dear Sarick, >> >> If you use BSD style OS this configuration is incorrect. >> >> See doc/rlm_passwd on how to use password files in general case. >> >> --Monday, November 25, 2002, 1:01:18 PM, you wrote to S> [EMAIL PROTECTED]: >> >> S> Hi, >> S> Since I want to allow the users in the /etc/passwd file to authenticate S> with >> S> this radius server. >> S> Below is my radiusd.conf:-- >> S> unix { >> S> #. >> S> # Cache /etc/passwd, /etc/shadow, and /etc/group >> S> # allowed values: {no, yes} >> S> cache = yes >> S> # >> S> # Reload the cache every 600 seconds (10mins). 0 to S> disable. >> S> cache_reload = 600 >> S> #. >> S> # This is required for some systems, like FreeBSD, >> S> # and Mac OSX. >> S> # >> S> passwd = /etc/passwd >> S> shadow = /etc/shadow >> S> group = /etc/group >> S> authenticate { >> S> # password can be clear-text, or encrypted... >> S> authtype PAP { >> S> pap >> S> } >> S> # Most people want CHAP authentication... >> S> authtype CHAP { >> S> chap >> S> } >> S> # MSCHAP authentication. >> S> authtype MS-CHAP { >> S> mschap >> S> } >> S> # pam >> S> # against /etc/passwd! See the FAQ for details. >> S> # >> S> unix >> S> >> S> Then, I try to authenticate the radius server, but failed with the S> followin >> S> messages: >> S> -------- >> S> modcall: entering group authenticate >> S> rlm_eap: Request found, released from the list >> S> rlm_eap: EAP_TYPE - md5 >> S> rlm_eap: processing type md5 >> S> rlm_eap_md5: No password configured for this user >> S> modcall[authenticate]: module "eap" returns invalid >> S> modcall: group authenticate returns invalid >> S> auth: Failed to validate the user. >> S> --- >> S> I did add the user in the /etc/passwd by "useradd" and "passwd" S> command. >> S> Please help me. How can I solve this problem? >> S> (I can successfully authenticate with the users in ./raddb/users.) >> S> How can I authenticate the users in /etc/passwd? >> >> >> >> S> - >> S> List info/subscribe/unsubscribe? See S> http://www.freeradius.org/list/users.html >> >> >> -- >> ~/ZARAZA >> ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì) >> >> >> -- ~/ZARAZA Æàëî ìíå íå ïîíàäîáèòñÿ (Ñ. Ëåì) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: authenticate with /etc/passwd users
Hi: I am using Linux RedHat 7.3. Did I make the configuration wrong? Regards Sarick - Original Message - From: "3APA3A" <[EMAIL PROTECTED]> To: "Sarick" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Monday, November 25, 2002 6:15 PM Subject: Re: Problem: authenticate with /etc/passwd users > Dear Sarick, > > If you use BSD style OS this configuration is incorrect. > > See doc/rlm_passwd on how to use password files in general case. > > --Monday, November 25, 2002, 1:01:18 PM, you wrote to [EMAIL PROTECTED]: > > S> Hi, > S> Since I want to allow the users in the /etc/passwd file to authenticate with > S> this radius server. > S> Below is my radiusd.conf:-- > S> unix { > S> #. > S> # Cache /etc/passwd, /etc/shadow, and /etc/group > S> # allowed values: {no, yes} > S> cache = yes > S> # > S> # Reload the cache every 600 seconds (10mins). 0 to disable. > S> cache_reload = 600 > S> #. > S> # This is required for some systems, like FreeBSD, > S> # and Mac OSX. > S> # > S> passwd = /etc/passwd > S> shadow = /etc/shadow > S> group = /etc/group > S> authenticate { > S> # password can be clear-text, or encrypted... > S> authtype PAP { > S> pap > S> } > S> # Most people want CHAP authentication... > S> authtype CHAP { > S> chap > S> } > S> # MSCHAP authentication. > S> authtype MS-CHAP { > S> mschap > S> } > S> # pam > S> # against /etc/passwd! See the FAQ for details. > S> # > S> unix > S> > S> Then, I try to authenticate the radius server, but failed with the followin > S> messages: > S> > S> modcall: entering group authenticate > S> rlm_eap: Request found, released from the list > S> rlm_eap: EAP_TYPE - md5 > S> rlm_eap: processing type md5 > S> rlm_eap_md5: No password configured for this user > S> modcall[authenticate]: module "eap" returns invalid > S> modcall: group authenticate returns invalid > S> auth: Failed to validate the user. > S> --- > S> I did add the user in the /etc/passwd by "useradd" and "passwd" command. > S> Please help me. How can I solve this problem? > S> (I can successfully authenticate with the users in ./raddb/users.) > S> How can I authenticate the users in /etc/passwd? > > > > S> - > S> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > -- > ~/ZARAZA > ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì) > > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: authenticate with /etc/passwd users
Dear Sarick, If you use BSD style OS this configuration is incorrect. See doc/rlm_passwd on how to use password files in general case. --Monday, November 25, 2002, 1:01:18 PM, you wrote to [EMAIL PROTECTED]: S> Hi, S> Since I want to allow the users in the /etc/passwd file to authenticate with S> this radius server. S> Below is my radiusd.conf:-- S> unix { S> #. S> # Cache /etc/passwd, /etc/shadow, and /etc/group S> # allowed values: {no, yes} S> cache = yes S> # S> # Reload the cache every 600 seconds (10mins). 0 to disable. S> cache_reload = 600 S> #. S> # This is required for some systems, like FreeBSD, S> # and Mac OSX. S> # S> passwd = /etc/passwd S> shadow = /etc/shadow S> group = /etc/group S> authenticate { S> # password can be clear-text, or encrypted... S> authtype PAP { S> pap S> } S> # Most people want CHAP authentication... S> authtype CHAP { S> chap S> } S> # MSCHAP authentication. S> authtype MS-CHAP { S> mschap S> } S> # pam S> # against /etc/passwd! See the FAQ for details. S> # S> unix S> S> Then, I try to authenticate the radius server, but failed with the followin S> messages: S> S> modcall: entering group authenticate S> rlm_eap: Request found, released from the list S> rlm_eap: EAP_TYPE - md5 S> rlm_eap: processing type md5 S> rlm_eap_md5: No password configured for this user S> modcall[authenticate]: module "eap" returns invalid S> modcall: group authenticate returns invalid S> auth: Failed to validate the user. S> --- S> I did add the user in the /etc/passwd by "useradd" and "passwd" command. S> Please help me. How can I solve this problem? S> (I can successfully authenticate with the users in ./raddb/users.) S> How can I authenticate the users in /etc/passwd? S> - S> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem: authenticate with /etc/passwd users
Hi, Since I want to allow the users in the /etc/passwd file to authenticate with this radius server. Below is my radiusd.conf:-- unix { #. # Cache /etc/passwd, /etc/shadow, and /etc/group # allowed values: {no, yes} cache = yes # # Reload the cache every 600 seconds (10mins). 0 to disable. cache_reload = 600 #. # This is required for some systems, like FreeBSD, # and Mac OSX. # passwd = /etc/passwd shadow = /etc/shadow group = /etc/group authenticate { # password can be clear-text, or encrypted... authtype PAP { pap } # Most people want CHAP authentication... authtype CHAP { chap } # MSCHAP authentication. authtype MS-CHAP { mschap } # pam # against /etc/passwd! See the FAQ for details. # unix Then, I try to authenticate the radius server, but failed with the followin messages: modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - md5 rlm_eap: processing type md5 rlm_eap_md5: No password configured for this user modcall[authenticate]: module "eap" returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. --- I did add the user in the /etc/passwd by "useradd" and "passwd" command. Please help me. How can I solve this problem? (I can successfully authenticate with the users in ./raddb/users.) How can I authenticate the users in /etc/passwd? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User/passwd in the log : SOLVED
Ok it's fine. Thank for all. Jonathan Hassell wrote: In radiusd.conf, set log_auth_goodpass to no. Also, check http://www.theradiusbook.com for the sample chapter, which lists most of the configuration directives inside radiusd.conf (including this query). You might do well to become familiar with it. Jonathan Hassell Jonathan Hassell Jean-Paul Chapalain wrote: I don't see anythink in radiusd.conf about logging user/passwd. In the Usage of radiusd there two option about this '-y' and '-z' but i don't use there. Usage: radiusd [-a acct_dir] [-d db_dir] [-l log_dir] [-i address] [-p port] [-AcfnsSvXxyz] Options: -a acct_dir use accounting directory 'acct_dir'. -A Log auth detail. -d db_dir Use database directory 'db_dir'. -f Run as a foreground process, not a daemon. -h Print this help message. -i address Listen only in the given IP address. -l log_dir Log messages to 'log_dir'. Special values are: stdout == log all messages to standard output. syslog == log all messages to the system logger. -p port Bind to 'port', and not to the radius/udp, or 1646/udp. -s Do not spawn child processes to handle requests. -S Log stripped names. -v Print server version information. -X Turn on full debugging. (Means: -sfxxyz -l stdout) -x Turn on partial debugging. (-xx gives more debugging). -y Log authentication failures, with password. -z Log authentication successes, with password. Regards. Mattt wrote: On Thu, 2002-10-17 at 23:50, Jean-Paul Chapalain wrote: Hi all, I've a problem with log because there is Usr/passwd in trhe log. Wow ('wow' backwards, even) - you must win some sorta prize for that one... Did you even know there's a config file? Hint: /path/to/radiusd.conf There's *no* chance of me telling you which config variables :-/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- * Jean-Paul Chapalain - Reseaux et Systemes Distribues * * Groupement Informatique Credit Mutuel* * Tel : +33 298002873 Fax : +33 298284005 * * mailto : [EMAIL PROTECTED] * smime.p7s Description: S/MIME Cryptographic Signature
Re: User/passwd in the log
Jean-Paul Chapalain <[EMAIL PROTECTED]> wrote: > I don't see anythink in radiusd.conf about logging user/passwd. Then read it again. Try reading the 'radiusd.conf' file BEFORE you install it, as you may have an old version already installed. > In the Usage of radiusd there two option about this '-y' and '-z' but i > don't use there. Then you've got them enabled in the configuration file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User/passwd in the log
In radiusd.conf, set log_auth_goodpass to no. Also, check http://www.theradiusbook.com for the sample chapter, which lists most of the configuration directives inside radiusd.conf (including this query). You might do well to become familiar with it. Jonathan Hassell Jonathan Hassell Jean-Paul Chapalain wrote: I don't see anythink in radiusd.conf about logging user/passwd. In the Usage of radiusd there two option about this '-y' and '-z' but i don't use there. Usage: radiusd [-a acct_dir] [-d db_dir] [-l log_dir] [-i address] [-p port] [-AcfnsSvXxyz] Options: -a acct_dir use accounting directory 'acct_dir'. -A Log auth detail. -d db_dir Use database directory 'db_dir'. -f Run as a foreground process, not a daemon. -h Print this help message. -i address Listen only in the given IP address. -l log_dir Log messages to 'log_dir'. Special values are: stdout == log all messages to standard output. syslog == log all messages to the system logger. -p port Bind to 'port', and not to the radius/udp, or 1646/udp. -s Do not spawn child processes to handle requests. -S Log stripped names. -v Print server version information. -X Turn on full debugging. (Means: -sfxxyz -l stdout) -x Turn on partial debugging. (-xx gives more debugging). -y Log authentication failures, with password. -z Log authentication successes, with password. Regards. Mattt wrote: On Thu, 2002-10-17 at 23:50, Jean-Paul Chapalain wrote: Hi all, I've a problem with log because there is Usr/passwd in trhe log. Wow ('wow' backwards, even) - you must win some sorta prize for that one... Did you even know there's a config file? Hint: /path/to/radiusd.conf There's *no* chance of me telling you which config variables :-/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User/passwd in the log
I don't see anythink in radiusd.conf about logging user/passwd. In the Usage of radiusd there two option about this '-y' and '-z' but i don't use there. Usage: radiusd [-a acct_dir] [-d db_dir] [-l log_dir] [-i address] [-p port] [-AcfnsSvXxyz] Options: -a acct_dir use accounting directory 'acct_dir'. -A Log auth detail. -d db_dir Use database directory 'db_dir'. -f Run as a foreground process, not a daemon. -h Print this help message. -i address Listen only in the given IP address. -l log_dir Log messages to 'log_dir'. Special values are: stdout == log all messages to standard output. syslog == log all messages to the system logger. -p port Bind to 'port', and not to the radius/udp, or 1646/udp. -s Do not spawn child processes to handle requests. -S Log stripped names. -v Print server version information. -X Turn on full debugging. (Means: -sfxxyz -l stdout) -x Turn on partial debugging. (-xx gives more debugging). -y Log authentication failures, with password. -z Log authentication successes, with password. Regards. Mattt wrote: On Thu, 2002-10-17 at 23:50, Jean-Paul Chapalain wrote: Hi all, I've a problem with log because there is Usr/passwd in trhe log. Wow ('wow' backwards, even) - you must win some sorta prize for that one... Did you even know there's a config file? Hint: /path/to/radiusd.conf There's *no* chance of me telling you which config variables :-/ -- * Jean-Paul Chapalain - Reseaux et Systemes Distribues * * Groupement Informatique Credit Mutuel* * Tel : +33 298002873 Fax : +33 298284005 * * mailto : [EMAIL PROTECTED] * smime.p7s Description: S/MIME Cryptographic Signature
User/passwd in the log
Hi all, I've a problem with log because there is Usr/passwd in trhe log. When i'm start radiusd like this : /opt/freeradius/sbin/radiusd& In radius.log : Thu Oct 17 15:04:18 2002 : Auth: Login OK: [foo/foopwd] (from client r-test port 66 cli 10.154.99.1) Thu Oct 17 15:04:26 2002 : Auth: Login OK: [$enab15$/superuser] (from client r-test port 66 cli 10.154.99.1) It's important for me to suppress this information of the log. Thank for help. -- * Jean-Paul Chapalain - Reseaux et Systemes Distribues * * Groupement Informatique Credit Mutuel* * Tel : +33 298002873 Fax : +33 298284005 * * mailto : [EMAIL PROTECTED] * smime.p7s Description: S/MIME Cryptographic Signature
Re: User/passwd in the log
On Thu, 2002-10-17 at 23:50, Jean-Paul Chapalain wrote: > Hi all, > > I've a problem with log because there is Usr/passwd in trhe log. Wow ('wow' backwards, even) - you must win some sorta prize for that one... Did you even know there's a config file? Hint: /path/to/radiusd.conf There's *no* chance of me telling you which config variables :-/ -- Cheers, Mattt. icq : 117539757 aboveNetworks www : www.above.nq4u.net [EMAIL PROTECTED]jabber: [EMAIL PROTECTED] What's got four legs and an arm? A happy Pit Bull... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache /etc/passwd, /etc/shadow, and /etc/group
Kevin, Thanks this works well. Thanks again, Ken Rea On Thu, 10 Oct 2002, Kevin Bonner wrote: > In the unix section of radiusd.conf, try the following: > > cache = yes > password = /path/to/passwd > shadow = /path/to/passwd > > If your passwd file contains encrypted passwords (i.e. no shadow file), then > using the above should allow you to cache the data. We are currently using > this method to allow different realms to have their own passwd files, and > just assigning different Auth-Type's depending on the realm. We'll be moving > to SQL auth shortly, but for the time being, this is working quite well for > us. > > Kevin > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache /etc/passwd, /etc/shadow, and /etc/group
On Thursday 10 October 2002 13:27, User for Free Radius mail list wrote: > On Thu, 10 Oct 2002, 3APA3A wrote: > > passwd file doesn't contain any passwords or hashes, so it's useless > > without shadow. > > If you do not use shadow passwords it does keep encrypted passwords in the > passwd file. Check your man pages "man 5 passwd" and you will see the > second field "Optional encrypted password". This is the way it was long > before shadow passwords came about. The reason we do not use shadow > passwords on this server is beyond the scope of this email. > > It would be nice to be able to cache this data for quick lookup. > > Thanks, > > Ken Rea In the unix section of radiusd.conf, try the following: cache = yes password = /path/to/passwd shadow = /path/to/passwd If your passwd file contains encrypted passwords (i.e. no shadow file), then using the above should allow you to cache the data. We are currently using this method to allow different realms to have their own passwd files, and just assigning different Auth-Type's depending on the realm. We'll be moving to SQL auth shortly, but for the time being, this is working quite well for us. Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache /etc/passwd, /etc/shadow, and /etc/group
On Thu, 10 Oct 2002, 3APA3A wrote: > > passwd file doesn't contain any passwords or hashes, so it's useless > without shadow. If you do not use shadow passwords it does keep encrypted passwords in the passwd file. Check your man pages "man 5 passwd" and you will see the second field "Optional encrypted password". This is the way it was long before shadow passwords came about. The reason we do not use shadow passwords on this server is beyond the scope of this email. It would be nice to be able to cache this data for quick lookup. Thanks, Ken Rea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache /etc/passwd, /etc/shadow, and /etc/group
User for Free Radius mail list <[EMAIL PROTECTED]> wrote: > In the radiusd.conf file: > The "Cache" setup does not work if you do not use shadow passwords. If the > "shadow" line is left at the default value: (ie commented out) Yes... your system has shadow passwords, so if you want to cache them, you've go to read the shadow password file. Where, exactly, did you expect the cached passwords to be read from? Not all systems have fgetpwent()... > If you say "no" to the "cache" option: .. > It loads up just fine. Of course. Because it doesn't cache the passwords, it can use getpwent() to get the password, which is a system call which knows where the password files are located. > Is there something I'm missing or is the the default behavior of this > setup? Some knowledge of how Unix systems are set up should help. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache /etc/passwd, /etc/shadow, and /etc/group
Dear User for Free Radius mail list, passwd file doesn't contain any passwords or hashes, so it's useless without shadow. If you store your passwords in plain text file format different from linux passwd/shadow files consider to use rlm_passwd module. See doc/rlm_passwd. --Thursday, October 10, 2002, 5:11:15 AM, you wrote to [EMAIL PROTECTED]: UfFRml> System = Linux with kernel 2.4.18 UfFRml> In the radiusd.conf file: UfFRml> The "Cache" setup does not work if you do not use shadow passwords. If the UfFRml> "shadow" line is left at the default value: (ie commented out) UfFRml> To force the module to use the system password functions, UfFRml> # instead of reading the files, comment out the 'passwd' UfFRml> # and 'shadow' configuration entries. This is required UfFRml> # for some systems, like FreeBSD. UfFRml> # UfFRml> passwd = /etc/passwd UfFRml> # shadow = /etc/shadow UfFRml> Then you will get an error: UfFRml> Wed Oct 9 17:51:06 2002 : Info: HASH: Reinitializing hash structures UfFRml> and lists for caching... UfFRml> Wed Oct 9 17:51:06 2002 : Error: rlm_unix: You MUST specify a shadow UfFRml> password file! UfFRml> Wed Oct 9 17:51:06 2002 : Error: HASH: unable to create user hash table. UfFRml> disable caching and run debugs UfFRml> Wed Oct 9 17:51:06 2002 : Error: radiusd.conf[462]: unix: Module UfFRml> instantiation failed. UfFRml> If you say "no" to the "cache" option: UfFRml># For FreeBSD, you do NOT want to enable the cache, UfFRml> # as it's password lookups are done via a database. UfFRml> # UfFRml> # allowed values: {no, yes} UfFRml> cache = no UfFRml> It loads up just fine. UfFRml> Is there something I'm missing or is the the default behavior of this UfFRml> setup? UfFRml> Thanks, UfFRml> Ken Rea UfFRml> - UfFRml> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- ~/ZARAZA Òàêèì îáðàçîì ýòîò ïóòü äåøåâëå è ê íåìó ëåã÷å äîáðàòüñÿ òîìó, êòî â ñîñòîÿíèè äî íåãî äîáðàòüñÿ. (Òâåí) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache /etc/passwd, /etc/shadow, and /etc/group
I get similar behaviour with mine (FreeRadius 0.4 debian testing package, 2.4.18 kernel). I just set a new box to auth against /etc/raddb/passwd and /etc/raddb/sahdow. The only way I could get it to work is with caching. However, on the original radius server that the passwd and shadow file originate from, I have caching disabled, and am NOT specifying the location of the shadow file. And that is the only way I can get that box to work. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "User for Free Radius mail list" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, October 10, 2002 11:11 AM Subject: Cache /etc/passwd, /etc/shadow, and /etc/group > > System = Linux with kernel 2.4.18 > > In the radiusd.conf file: > The "Cache" setup does not work if you do not use shadow passwords. If the > "shadow" line is left at the default value: (ie commented out) > > To force the module to use the system password functions, > # instead of reading the files, comment out the 'passwd' > # and 'shadow' configuration entries. This is required > # for some systems, like FreeBSD. > # > passwd = /etc/passwd > # shadow = /etc/shadow > > Then you will get an error: > > Wed Oct 9 17:51:06 2002 : Info: HASH: Reinitializing hash structures > and lists for caching... > Wed Oct 9 17:51:06 2002 : Error: rlm_unix: You MUST specify a shadow > password file! > Wed Oct 9 17:51:06 2002 : Error: HASH: unable to create user hash table. > disable caching and run debugs > Wed Oct 9 17:51:06 2002 : Error: radiusd.conf[462]: unix: Module > instantiation failed. > > If you say "no" to the "cache" option: > ># For FreeBSD, you do NOT want to enable the cache, > # as it's password lookups are done via a database. > # > # allowed values: {no, yes} > cache = no > > It loads up just fine. > > > Is there something I'm missing or is the the default behavior of this > setup? > > Thanks, > > Ken Rea > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cache /etc/passwd, /etc/shadow, and /etc/group
System = Linux with kernel 2.4.18 In the radiusd.conf file: The "Cache" setup does not work if you do not use shadow passwords. If the "shadow" line is left at the default value: (ie commented out) To force the module to use the system password functions, # instead of reading the files, comment out the 'passwd' # and 'shadow' configuration entries. This is required # for some systems, like FreeBSD. # passwd = /etc/passwd # shadow = /etc/shadow Then you will get an error: Wed Oct 9 17:51:06 2002 : Info: HASH: Reinitializing hash structures and lists for caching... Wed Oct 9 17:51:06 2002 : Error: rlm_unix: You MUST specify a shadow password file! Wed Oct 9 17:51:06 2002 : Error: HASH: unable to create user hash table. disable caching and run debugs Wed Oct 9 17:51:06 2002 : Error: radiusd.conf[462]: unix: Module instantiation failed. If you say "no" to the "cache" option: # For FreeBSD, you do NOT want to enable the cache, # as it's password lookups are done via a database. # # allowed values: {no, yes} cache = no It loads up just fine. Is there something I'm missing or is the the default behavior of this setup? Thanks, Ken Rea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passwd expiration
>Hi- > >We are experiencing problems configuring the "Password-Expiration" >attribute using freeradius 0.6 >communicating with an Ascend MAX2012, TAOS 7.2.4. > >Is the "Password-Expiration" item supposed to be set >as a check or reply item / Which device is validating >the expiration, the radiusd or the nas? The attribute is "Expiration" and is a check item. > >What operand should be used? > >Thanks a bunch in advance. _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Passwd expiration
Hi- We are experiencing problems configuring the "Password-Expiration" attribute using freeradius 0.6 communicating with an Ascend MAX2012, TAOS 7.2.4. Is the "Password-Expiration" item supposed to be set as a check or reply item / Which device is validating the expiration, the radiusd or the nas? What operand should be used? Thanks a bunch in advance. ralf -- --- Dipl.-Ing. Ralf Korczykowski Senior Consultant Systeme & Netze ORDIX AG Westernmauer 12-13 D-33098 Paderborn Tel. 05251-1063-14 FAX. 05251-1063-99 Email: [EMAIL PROTECTED] http://www.ordix.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: specify shadow passwd file
Please read the comments is radiusd.conf: # 'shadow' is commented out by default, because not all # systems have shadow passwords. Uncomment: # shadow = /etc/shadow -Shawn On Thu, 18 Jul 2002, Augustine Tsai wrote: > Hi, > > I have downloaded freeradius-0.6. > I tried to run >radiusd -X -A > > and get the following message. > >unix: cache=yes > >unix: passwd = "/etc/passed" > >unix: shadow = "(null)" > . > . > HASH: Reinitializing hash structures and lists for caching... > rlm_unix: you MUST specify a shadow password file! > HASH: unable to create uses hash table. disable caching and run debugs > radiusd.conf[426]: unix: Module instantiation failed. > > > Do you have to configure the Radius server before you run the deamon? > How to specify the shadow password file. > > Thanks in advance. > > Augustine > > > Augustine Tsai, Ph.D > Multimedia Communication Research > Room 2D-443 > Lucent Technologies > 600-700 Mountain Ave. > Murray Hill, NJ 07974-0636 > tel: 908-582-6519 > fax: 908-582-3306 > [EMAIL PROTECTED] > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: specify shadow passwd file
>Do you have to configure the Radius server before you run the deamon? Nah; you can run the daemon any old time. Don't bother configuring it or reading the config or documentation files. They're there just to pad the download. You don't even have to bother compiling or untaring it to disk; just pipe the tar output to gcc and it'll run right in place! Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Pinball is a way of life. My way! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: specify shadow passwd file
"Augustine Tsai" <[EMAIL PROTECTED]> wrote: > HASH: unable to create uses hash table. disable caching and run debugs > radiusd.conf[426]: unix: Module instantiation failed. > > > Do you have to configure the Radius server before you run the deamon? Uh... no, it reads your mind... Yeah, that's it... > How to specify the shadow password file. Read the configuration file? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
specify shadow passwd file
Hi, I have downloaded freeradius-0.6. I tried to run >radiusd -X -A and get the following message. >unix: cache=yes >unix: passwd = "/etc/passed" >unix: shadow = "(null)" . . HASH: Reinitializing hash structures and lists for caching... rlm_unix: you MUST specify a shadow password file! HASH: unable to create uses hash table. disable caching and run debugs radiusd.conf[426]: unix: Module instantiation failed. Do you have to configure the Radius server before you run the deamon? How to specify the shadow password file. Thanks in advance. Augustine Augustine Tsai, Ph.D Multimedia Communication Research Room 2D-443 Lucent Technologies 600-700 Mountain Ave. Murray Hill, NJ 07974-0636 tel: 908-582-6519 fax: 908-582-3306 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd / System auth not working
Ah ... Thank you very much. That did the trick! Mayhaps this should be added to the docs and/or the comments of the .conf file? Cheers, Tom Roy Hooper wrote: >Because FreeBSD doesn't support shadow passwords, if I remember the code >correctly, you have to comment out passwd= and shadow= to get system password >file authentication that uses master.passwd. The caching is unnecessary for >the FreeBSD system password file as it is a berkeley DB file that drives the >getpw*() functions. > >--- >Roy Hooper >Project Manager & Senior UNIX Consultant >Decisive Technologies, Inc. >[EMAIL PROTECTED] > > >- Original Message - >From: "Thomas Keitel" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Tuesday, March 12, 2002 8:23 PM >Subject: Re: /etc/passwd / System auth not working > > >>Hello Again, >> >>Everything in the config is stock except for: >> >># >># Cache /etc/passwd, /etc/shadow, and /etc/group >># >># The default is to NOT cache them. However, caching >>them can >># speed up system authentications by a substantial amount. >># >># allowed values: {no, yes} >>cache = no >># Reload the cache every 600 seconds (10mins). 0 to disable. >>cache_reload = 600 >> >># >># Define the locations of the normal passwd, shadow, and >># group files. >># >># 'shadow' is commented out by default, because not all >># systems have shadow passwords. >># >>passwd = /etc/passwd >>shadow = /etc/master.passwd >>group = /etc/group >> >> >># >># Where the 'wtmp' file is located. >># This will be moved to it's own module soon.. >># >>radwtmp = ${logdir}/radwtmp >>} >> >>Switched to running radius as root, but is there a way to use system >>auth w/o this? Perhaps running as username radius? >> >>Thanks, >> >>Tom >> >> >> >> >>Roy Hooper wrote: >> >>>Are you running the server as root? >>>Are you running without passwd and shadow set in the unix configuration >>>block? >>> >>>Why don't you post your config file, and then I'll peruse the code to see >>>what might be getting in the way if it is not a config error. >>> >>>-- >>>Roy Hooper >>>Project Manager & Senior UNIX Consultant >>>Decisive Technologies Inc. >>> >>> >>>- Original Message - >>>From: "Thomas Keitel" <[EMAIL PROTECTED]> >>>To: <[EMAIL PROTECTED]> >>>Sent: Tuesday, March 12, 2002 6:14 PM >>>Subject: /etc/passwd / System auth not working >>> >>> >>>Hello All, >>> >>>New to the list. I have the faq and googled this to tears but, I have >>>having a hard time getting freeradius .4 to correctly auth users against >>>the FreeBSD 4.5 passwd file. The password is correct and I am at a loss. >>> >>>Thanks, >>> >>>Tom >>> >>>radius.log: >>> >>>Message:Auth: rlm_unix : [jdoe]: invalid password >>>Message:Auth: Login incorrect: [jdoe/jdspw] (from nas UNKOWN-NAS port 1) >>> >>> >>>radiusd debug: >>> >>>modcall: entering group authorize >>> modcall[authorize]: module "preprocess" returns ok >>> modcall[authorize]: module "suffix" returns ok >>> users: Matched DEFAULT at 145 >>> modcall[authorize]: module "files" returns ok >>>modcall: group authorize returns ok >>> rad_check_password: Found Auth-Type System >>>auth: type "System" >>>modcall: entering group authenticate >>>rlm_unix: [jdoe]: invalid password >>> modcall[authenticate]: module "unix" returns reject >>>modcall: group authenticate returns reject >>>auth: Failed to validate the user. >>> >>> >>> >>> >>> >>>- >>>List info/subscribe/unsubscribe? See >>>http://www.freeradius.org/list/users.html >>> >>> >>> >>> >>>- >>>List info/subscribe/unsubscribe? See >>> >http://www.freeradius.org/list/users.html > >>> >> >> >>- >>List info/subscribe/unsubscribe? See >> >http://www.freeradius.org/list/users.html > > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd / System auth not working
Thomas Keitel <[EMAIL PROTECTED]> wrote: > Mayhaps this should be added to the docs and/or the comments of the > .conf file? Done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd / System auth not working
Because FreeBSD doesn't support shadow passwords, if I remember the code correctly, you have to comment out passwd= and shadow= to get system password file authentication that uses master.passwd. The caching is unnecessary for the FreeBSD system password file as it is a berkeley DB file that drives the getpw*() functions. --- Roy Hooper Project Manager & Senior UNIX Consultant Decisive Technologies, Inc. [EMAIL PROTECTED] - Original Message - From: "Thomas Keitel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 12, 2002 8:23 PM Subject: Re: /etc/passwd / System auth not working > Hello Again, > > Everything in the config is stock except for: > > # > # Cache /etc/passwd, /etc/shadow, and /etc/group > # > # The default is to NOT cache them. However, caching > them can > # speed up system authentications by a substantial amount. > # > # allowed values: {no, yes} > cache = no > # Reload the cache every 600 seconds (10mins). 0 to disable. > cache_reload = 600 > > # > # Define the locations of the normal passwd, shadow, and > # group files. > # > # 'shadow' is commented out by default, because not all > # systems have shadow passwords. > # > passwd = /etc/passwd > shadow = /etc/master.passwd > group = /etc/group > > > # > # Where the 'wtmp' file is located. > # This will be moved to it's own module soon.. > # > radwtmp = ${logdir}/radwtmp > } > > Switched to running radius as root, but is there a way to use system > auth w/o this? Perhaps running as username radius? > > Thanks, > > Tom > > > > > Roy Hooper wrote: > > >Are you running the server as root? > >Are you running without passwd and shadow set in the unix configuration > >block? > > > >Why don't you post your config file, and then I'll peruse the code to see > >what might be getting in the way if it is not a config error. > > > >-- > >Roy Hooper > >Project Manager & Senior UNIX Consultant > >Decisive Technologies Inc. > > > > > >- Original Message - > >From: "Thomas Keitel" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Tuesday, March 12, 2002 6:14 PM > >Subject: /etc/passwd / System auth not working > > > > > >Hello All, > > > >New to the list. I have the faq and googled this to tears but, I have > >having a hard time getting freeradius .4 to correctly auth users against > >the FreeBSD 4.5 passwd file. The password is correct and I am at a loss. > > > >Thanks, > > > >Tom > > > >radius.log: > > > >Message:Auth: rlm_unix : [jdoe]: invalid password > >Message:Auth: Login incorrect: [jdoe/jdspw] (from nas UNKOWN-NAS port 1) > > > > > >radiusd debug: > > > >modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > modcall[authorize]: module "suffix" returns ok > >users: Matched DEFAULT at 145 > > modcall[authorize]: module "files" returns ok > >modcall: group authorize returns ok > > rad_check_password: Found Auth-Type System > >auth: type "System" > >modcall: entering group authenticate > >rlm_unix: [jdoe]: invalid password > > modcall[authenticate]: module "unix" returns reject > >modcall: group authenticate returns reject > >auth: Failed to validate the user. > > > > > > > > > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > > > > > > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd / System auth not working
I am now running the snapshot from the 14th with exactly the same results: Still broken. Keep the ideas rolling in because I'll probably try them all! Cheers, Tom Alan DeKok wrote: >Thomas Keitel <[EMAIL PROTECTED]> wrote: > >>I took Andrew's advice on the 'cache = yes' parameter, but no joy. I >>have included the radiusd -X debug output for your perusal. >> > > Grab the latest CVS snapshot. It should work better... > > Alan DeKok. > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd / System auth not working
Thomas Keitel <[EMAIL PROTECTED]> wrote: > I took Andrew's advice on the 'cache = yes' parameter, but no joy. I > have included the radiusd -X debug output for your perusal. Grab the latest CVS snapshot. It should work better... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd / System auth not working
Hello All, I took Andrew's advice on the 'cache = yes' parameter, but no joy. I have included the radiusd -X debug output for your perusal. Cheers, Tom Begin Debug Output -- ahost# /usr/local/sbin/radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/log/radius/radiusd.pid" main: user = "root" main: group = "wheel" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = no proxy: dead_time = 120 main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded System unix: cache = yes unix: passwd = "/etc/passwd" unix: shadow = "/etc/master.passwd" unix: group = "/etc/group" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 HASH: Reinitializing hash structures and lists for caching... HASH: Stored 23 entries from /etc/passwd HASH: Stored 30 entries from /etc/group Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail" detail: detailperm = 384 detail: dirperm = 493 Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host *removed*, id=72, length=64 User-Name = "jdoe" Password = "*removed*" Service-Type = 0 NAS-IP-Address = *removed* NAS-Port = 1 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok users: Matched DEFAULT at 145 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate HASH: user jdoe found in hashtable bucket 93595 modcall[authenticate]: module "unix" returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Login incorrect: [jdoe] (from nas UNKNOWN-NAS port 1) Sending Access-Reject of id 72 to *removed* Finished request 0 Going to the next request Andrew Tait wrote: >Change it to cache = yes. > >There is a bug in the non-caching code. > >Andrew Tait >System Administrator >Country NetLink Pty, Ltd >E-Mail: [EMAIL PROTECTED] >WWW: http://www.cnl.com.au >30 Bank St Cobram, VIC 3644, Australia >Ph: +61 (03) 58 711 000 >Fax: +61 (03) 58 711 874 > >"It's the smell! If there is such a thing." Agent Smith - The Matrix > >- Original Message - >From: "Thomas Keitel" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECT
Re: /etc/passwd / System auth not working
Change it to cache = yes. There is a bug in the non-caching code. Andrew Tait System Administrator Country NetLink Pty, Ltd E-Mail: [EMAIL PROTECTED] WWW: http://www.cnl.com.au 30 Bank St Cobram, VIC 3644, Australia Ph: +61 (03) 58 711 000 Fax: +61 (03) 58 711 874 "It's the smell! If there is such a thing." Agent Smith - The Matrix - Original Message - From: "Thomas Keitel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 13, 2002 12:23 PM Subject: Re: /etc/passwd / System auth not working > Hello Again, > > Everything in the config is stock except for: > > # > # Cache /etc/passwd, /etc/shadow, and /etc/group > # > # The default is to NOT cache them. However, caching > them can > # speed up system authentications by a substantial amount. > # > # allowed values: {no, yes} > cache = no > # Reload the cache every 600 seconds (10mins). 0 to disable. > cache_reload = 600 > > # > # Define the locations of the normal passwd, shadow, and > # group files. > # > # 'shadow' is commented out by default, because not all > # systems have shadow passwords. > # > passwd = /etc/passwd > shadow = /etc/master.passwd > group = /etc/group > > > # > # Where the 'wtmp' file is located. > # This will be moved to it's own module soon.. > # > radwtmp = ${logdir}/radwtmp > } > > Switched to running radius as root, but is there a way to use system > auth w/o this? Perhaps running as username radius? > > Thanks, > > Tom > > > > > Roy Hooper wrote: > > >Are you running the server as root? > >Are you running without passwd and shadow set in the unix configuration > >block? > > > >Why don't you post your config file, and then I'll peruse the code to see > >what might be getting in the way if it is not a config error. > > > >-- > >Roy Hooper > >Project Manager & Senior UNIX Consultant > >Decisive Technologies Inc. > > > > > >- Original Message - > >From: "Thomas Keitel" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Tuesday, March 12, 2002 6:14 PM > >Subject: /etc/passwd / System auth not working > > > > > >Hello All, > > > >New to the list. I have the faq and googled this to tears but, I have > >having a hard time getting freeradius .4 to correctly auth users against > >the FreeBSD 4.5 passwd file. The password is correct and I am at a loss. > > > >Thanks, > > > >Tom > > > >radius.log: > > > >Message:Auth: rlm_unix : [jdoe]: invalid password > >Message:Auth: Login incorrect: [jdoe/jdspw] (from nas UNKOWN-NAS port 1) > > > > > >radiusd debug: > > > >modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > modcall[authorize]: module "suffix" returns ok > >users: Matched DEFAULT at 145 > > modcall[authorize]: module "files" returns ok > >modcall: group authorize returns ok > > rad_check_password: Found Auth-Type System > >auth: type "System" > >modcall: entering group authenticate > >rlm_unix: [jdoe]: invalid password > > modcall[authenticate]: module "unix" returns reject > >modcall: group authenticate returns reject > >auth: Failed to validate the user. > > > > > > > > > > > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > > > > > > > > >- > >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd / System auth not working
Hello Again, Everything in the config is stock except for: # # Cache /etc/passwd, /etc/shadow, and /etc/group # # The default is to NOT cache them. However, caching them can # speed up system authentications by a substantial amount. # # allowed values: {no, yes} cache = no # Reload the cache every 600 seconds (10mins). 0 to disable. cache_reload = 600 # # Define the locations of the normal passwd, shadow, and # group files. # # 'shadow' is commented out by default, because not all # systems have shadow passwords. # passwd = /etc/passwd shadow = /etc/master.passwd group = /etc/group # # Where the 'wtmp' file is located. # This will be moved to it's own module soon.. # radwtmp = ${logdir}/radwtmp } Switched to running radius as root, but is there a way to use system auth w/o this? Perhaps running as username radius? Thanks, Tom Roy Hooper wrote: >Are you running the server as root? >Are you running without passwd and shadow set in the unix configuration >block? > >Why don't you post your config file, and then I'll peruse the code to see >what might be getting in the way if it is not a config error. > >-- >Roy Hooper >Project Manager & Senior UNIX Consultant >Decisive Technologies Inc. > > >- Original Message - >From: "Thomas Keitel" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Tuesday, March 12, 2002 6:14 PM >Subject: /etc/passwd / System auth not working > > >Hello All, > >New to the list. I have the faq and googled this to tears but, I have >having a hard time getting freeradius .4 to correctly auth users against >the FreeBSD 4.5 passwd file. The password is correct and I am at a loss. > >Thanks, > >Tom > >radius.log: > >Message:Auth: rlm_unix : [jdoe]: invalid password >Message:Auth: Login incorrect: [jdoe/jdspw] (from nas UNKOWN-NAS port 1) > > >radiusd debug: > >modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "suffix" returns ok >users: Matched DEFAULT at 145 > modcall[authorize]: module "files" returns ok >modcall: group authorize returns ok > rad_check_password: Found Auth-Type System >auth: type "System" >modcall: entering group authenticate >rlm_unix: [jdoe]: invalid password > modcall[authenticate]: module "unix" returns reject >modcall: group authenticate returns reject >auth: Failed to validate the user. > > > > > >- >List info/subscribe/unsubscribe? See >http://www.freeradius.org/list/users.html > > > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd / System auth not working
Are you running the server as root? Are you running without passwd and shadow set in the unix configuration block? Why don't you post your config file, and then I'll peruse the code to see what might be getting in the way if it is not a config error. -- Roy Hooper Project Manager & Senior UNIX Consultant Decisive Technologies Inc. - Original Message - From: "Thomas Keitel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, March 12, 2002 6:14 PM Subject: /etc/passwd / System auth not working Hello All, New to the list. I have the faq and googled this to tears but, I have having a hard time getting freeradius .4 to correctly auth users against the FreeBSD 4.5 passwd file. The password is correct and I am at a loss. Thanks, Tom radius.log: Message:Auth: rlm_unix : [jdoe]: invalid password Message:Auth: Login incorrect: [jdoe/jdspw] (from nas UNKOWN-NAS port 1) radiusd debug: modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok users: Matched DEFAULT at 145 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate rlm_unix: [jdoe]: invalid password modcall[authenticate]: module "unix" returns reject modcall: group authenticate returns reject auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/etc/passwd / System auth not working
Hello All, New to the list. I have the faq and googled this to tears but, I have having a hard time getting freeradius .4 to correctly auth users against the FreeBSD 4.5 passwd file. The password is correct and I am at a loss. Thanks, Tom radius.log: Message:Auth: rlm_unix : [jdoe]: invalid password Message:Auth: Login incorrect: [jdoe/jdspw] (from nas UNKOWN-NAS port 1) radiusd debug: modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok users: Matched DEFAULT at 145 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate rlm_unix: [jdoe]: invalid password modcall[authenticate]: module "unix" returns reject modcall: group authenticate returns reject auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't authenticate using /etc/passwd file
Godfred Ofori-Som <[EMAIL PROTECTED]> wrote: > Below is an extract > of my user file and the result with radtest. what am i doing wrong > > DEFAULT Auth-Type += System ... > > DEFAULT AUTH-Type := sql, ... Read 'man users' on the difference between '+=' and ':=' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I can't authenticate using /etc/passwd file
Hello, I am new to radius but i have been able to set it up to work, the funny thing is i can authenticate with the passwd file if i dont have a Default entry point to sql. As soon as i do that i can authenticate users in mysql database but cannot authenticate users in passwd file. Below is an extract of my user file and the result with radtest. what am i doing wrong DEFAULT Auth-Type += System Fall-Through = Yes DEFAULT AUTH-Type := sql, Simultaneous-Use := 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Fall-Through = Yes user in passwd file = bash-2.03# radtest nana nana mantse-1 1645 qwer Sending Access-Request of id 146 to 196.3.64.39:1645 User-Name = "nana" Password = "\263\252\002UV\310\201<\010w8Y\323\350\244i" NAS-IP-Address = mantse-1 NAS-Port-Id = "1645" rad_recv: Access-Reject packet from host 196.3.64.39:1645, id=146, length=20 user in mysql database == bash-2.03# radtest fredf wilma mantse-1 1645 qwer Sending Access-Request of id 151 to 196.3.64.39:1645 User-Name = "fredf" Password = "\377\027\273\033_\324\rU\204\032\001\210\025\353\013u" NAS-IP-Address = mantse-1 NAS-Port-Id = "1645" rad_recv: Access-Accept packet from host 196.3.64.39:1645, id=151, length=50 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-MTU = 1500 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: passwd
Lee W <[EMAIL PROTECTED]> wrote: > Thanks for the timely responces. I'm 100% up and running > now. However I would like to have a separate password file, be it > PAM or System. Do both methoeds only use the system passwd with no > other options? I don't know about PAM, but rlm_unix has a 'passwd' configuration directive, which tells it where to get the password file from. See 'radiusd.conf' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
passwd
Hi all, Thanks for the timely responces. I'm 100% up and running now. However I would like to have a separate password file, be it PAM or System. Do both methoeds only use the system passwd with no other options? Lee -- Lee Wolf EMR Data Services [EMAIL PROTECTED] 623-764-0870 cell 623-581-0842 voice 623-582-9499 fax EMR Internet A Serious Internet Experience ** 56K Dial-up ** DSL ** Web-hosting ** ** Co-location ** T1s ** ISDN ** ** High-Speed Fiber Backbone ** Linux powered ** ** Custom Web Design ** Site Development ** ** Search Engine Placement & Web Consultation ** Visit us at http://www.emr.net! Ask about our reseller programs! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth by /etc/passwd
In article <003f01c1890a$3e83ae20$1191623f@eli>, NetlinkIP Sysadmin <[EMAIL PROTECTED]> wrote: >How can I have freeradius (or cistron 1.6.5) do a check on /etc/passwd >for the shell >type? Could you please post this to *one* list only, or at least Cc: it between lists? I've already answered your question on the cistron-radius list, but ofcourse you can't see that on this list! Mike. -- "Don't worry about what anybody else is going to do ... The best way to predict the future is to invent it." -- Alan Kay. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
auth by /etc/passwd
How can I have freeradius (or cistron 1.6.5) do a check on /etc/passwd for the shell type? For Example: I need users of shell type /usr/bin/ppp to be able to auth via radius but NOT: /sbin/noservice Any ideas? BTW - Livingston 2.1 does this. --Eli Chancey --NetlinkIP Sysadmin - www.netlinkip.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using a different passwd/shadow file?
On Tue, 2 Oct 2001 at 15:46 (-0300), Juan Carlos Castro y Castro wrote: JCCyC> Could I specify more that 64K users in a passwd file with that? With JCCyC> UIDs > 65536? Not sure on that one. I haven't needed a passwd file quite that large before. I would think that it would work since I don't believe the code looks at UID's, but I have not checked the code to verify this. If your operating systems fgetpwent() call support larger UID's then I think it should work with the caching turned off, but again I haven't tried it. Michael -- Michael J. Hartwick, VE3SLQ [EMAIL PROTECTED] Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using a different passwd/shadow file?
Michael J. Hartwick wrote: >On Tue, 2 Oct 2001 at 10:26 (-0400), [EMAIL PROTECTED] wrote: > >>Robert Divko <[EMAIL PROTECTED]> wrote: >> >>>How can I use a different passwd/shadow file combo >>>than the system file for User Authentication in freeradius-02? >>> >> You can't. I don't thenk even the latest CVS snapshot allows for >>that. >> >The current CVS allows you to specify a different passwd, shadow and >group file. The group was made to work yesterday, but the rest had >been working prior to that. I have been using that feature for a >little while now. The group changes are still fairly new so may not >be the most stable, but have been working in a production environment >for close to 18 hours. > Could I specify more that 64K users in a passwd file with that? With UIDs > 65536? -- Juan Carlos Castro y Castro | "Standing up to an evil system is [EMAIL PROTECTED] | exhilarating." -Richard Stallman Rio de Janeiro - Brazil | http://www.vialink.com.br/~jcastro DC4DC #25 | chmod a+x /bin/laden - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using a different passwd/shadow file?
On Tue, 2 Oct 2001 at 10:26 (-0400), [EMAIL PROTECTED] wrote: > Robert Divko <[EMAIL PROTECTED]> wrote: > > How can I use a different passwd/shadow file combo > > than the system file for User Authentication in freeradius-02? > > You can't. I don't thenk even the latest CVS snapshot allows for > that. The current CVS allows you to specify a different passwd, shadow and group file. The group was made to work yesterday, but the rest had been working prior to that. I have been using that feature for a little while now. The group changes are still fairly new so may not be the most stable, but have been working in a production environment for close to 18 hours. Michael -- Michael J. Hartwick, VE3SLQ [EMAIL PROTECTED] Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using a different passwd/shadow file?
Robert Divko <[EMAIL PROTECTED]> wrote: > How can I use a different passwd/shadow file combo > than the system file for User Authentication in freeradius-02? You can't. I don't thenk even the latest CVS snapshot allows for that. If you really are interested, file a bug report. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using a different passwd/shadow file?
How can I use a different passwd/shadow file combo than the system file for User Authentication in freeradius-02? Ciao, Robert Divko Dr. Robert Divko, Kiem-Pauli-Weg 15, 83052 Bruckmühl tel: 08062/79700, 0172/8337394, fax: 08062/79701 [EMAIL PROTECTED], [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html