user Passwd change
Hi List.. i'm new user of FreeRADIUS, two days ago i installed a radius server for my RAS clients. Now, my doubt is... i want all new users at the first logon can change their passwd, how can i do that? any comments? kind regards Mike __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Importing /etc/passwd file to Postgresgql DB
Am Mon, 2003-10-20 um 18.46 schrieb Blevins Carol A: I have freeradius 0.9.1 up and running using pgsql. I would like to import /etc/passwd into the radius db. I have manually entered a user into the radius db and have been able to authenticate the user fine, but am unclear as to how I can import the passwd file in the db. Any help would be appreciated. I have looked high and low on the mailing list and google. thanx Carol B. How many users are present in /etc/passwd? Either add them manually or write a script (which shouldn't be that hard in perl). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Importing /etc/passwd file to Postgresgql DB
I have freeradius 0.9.1 up and running using pgsql. I would like to import /etc/passwd into the radius db. I have manually entered a user into the radius db and have been able to authenticate the user fine, but am unclear as to how I can import the passwd file in the db. Any help would be appreciated. I have looked high and low on the mailing list and google. thanx Carol B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Apache + mod_auth_pam + pam_auth_radius does not work unless RADIUS user exists in local passwd file.
Dear all, I am trying to set up a reverse proxy with Apache 2.0.47 using mod_auth_pam. PAM is configured to use pam_auth_radius in /etc/pam.d/httpd User shall be authenticated against a remote RADIUS server using pam_auth_radius.so The /etc/pam.d/httpd file contains: auth required pam_auth_radius.so This has worked wonderful with Squid on other machines. With Apache, the authentication is working fine if the RADIUS user exists as a local user as well. As soon as I want to authenticate a user, that exists only on the remote RADIUS server, the authentication fails. In httpd.conf, I activated the PAM authentication by loading the module mod_auth_pam.so and enabling it via Directory / AllowOverride AuthConfig AuthPAM_Enabled on AuthName RADIUS authentication AuthType basic Require valid-user /Directory Apache's error log says: invalid account: User not known to the underlying authentication module What did I forget? Any help would be highly appreciated since I'm completely stuck at this point. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Apache + mod_auth_pam + pam_auth_radius does not work unless RADIUS user exists in local passwd file.
[EMAIL PROTECTED] wrote: The /etc/pam.d/httpd file contains: auth required pam_auth_radius.so This has worked wonderful with Squid on other machines. With Apache, the authentication is working fine if the RADIUS user exists as a local user as well. ... Require valid-user Don't do that. valid-user means valid local user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
expire both in users and passwd
Hello, I'm trying to figure out if there is a way to expire an account like so: I have my users file, with a default entry that most users use (auth-type system) so they authenticate via the passwd/shadow file. I have other users with subnets or multiple logons that authenticate directly in the users file. I would like it where I can have a corresponding entry in the passwd/shadow file, and if that expires then the users entry is expired as well. Does this sound logical? Is it something simple that my mind just isn't putting together the right way? Thanks, Bryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Called-Station-ID to different passwd files
On Friday 17 January 2003 05:08, Alan DeKok wrote:
Craig [EMAIL PROTECTED] wrote:
I am trying to set up a single freeradius server (ver 0.8.1) in such
a way that when a person dials eg.
phone-number-1 (for ISP1) they get authenticated against password-file-1,
phone-number-2 (for ISP2) they get authenticated against password-file-2
etc.
I don't want users to have to add a realm name to their login, unless
they are roaming, in which case it would need to work with that as
well.
Then your best bet is to *always* use realms. Set up the realsm
file for roaming like you would do normally, then in the 'hints' file,
do:
DEFAULT Called-Station-Id = 5551212
Realm = ISP-1
DEFAULT Called-Station-Id = 555
Realm = ISP-2
When they dial in to those numbers *without* a realm, then the realm
information will be added by the 'hints' file.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thanks, that solves the phone number problem but I still don't know how to get
Realm = ISP-1 to authenticate against password-file-1
Realm = ISP-2 to authenticate against password-file-2
In the radiusd.conf file I was thinking perhaps of using the passwd module,
with a definition for each ISP like (haven't worked the format out yet)
passwd ISP1 {
filename = /etc/password-file-1
format=*User-Name::LM-Password:
UNIX-Password:SMB-Account-CTRL-TEXT::
authtype = PAP
hashsize = 100
(I am uncertain of the hashsize behaviour. Does the hash ever refresh itself,
or do you need to restart the server?)
ignorenislike = no
allowmultiplekeys = no
}
in the passwd module region and then defining each in the
authorize {
preprocess
chap
mschap
suffix
files
ISP1(is this the right spot?)
ISP2
}
block. Will this work correctly?
Also how do I set this up in the user file? Something like
DEFAULT Realm == ISP1, Auth-Type := ISP1
Finally, is there a GUI for something like radclient? The O'Reilly Radius book
suggested some windows program (NTRadPing), but I'm not running windows.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different Called-Station-ID to different passwd files
Hi, I am trying to set up a single freeradius server (ver 0.8.1) in such a way that when a person dials eg. phone-number-1 (for ISP1) they get authenticated against password-file-1, phone-number-2 (for ISP2) they get authenticated against password-file-2 etc. I don't want users to have to add a realm name to their login, unless they are roaming, in which case it would need to work with that as well. How could I set up such a server? Craig. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MD5 passwd ecryption (was Re: Error about:rlm_eap_md5)
On Tue, 7 Jan 2003, Shawn Adams wrote: I guess my big dissapointent is the user password is in clear text in the /etc/raddb/users.conf file. Which is just another administrative task to maintain. We are migrating to LDAP. I am trying to get EAP/MD5 to work with LDAP. Of course there are no clear text passwords in the LDAP base as that would result in clear text passwords across the network, they are MD5-encrypted. The passwords don't really have to be in clear text, do they? Margrete - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MD5 passwd ecryption (was Re: Error about:rlm_eap_md5)
Margrete Raaum [EMAIL PROTECTED] wrote: We are migrating to LDAP. I am trying to get EAP/MD5 to work with LDAP. Of course there are no clear text passwords in the LDAP base as that would result in clear text passwords across the network, they are MD5-encrypted. The passwords don't really have to be in clear text, do they? For EAP, yes, they do. The solution to passwords going across the netwrok from your LDAP server in clear-text is to encrypt the connection to the LDAP server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/etc/passwd and users file
Ok i'm new to this im sittig here for the 2nd day with my teeth in deep radius... compiled installed on a Red Hat 6.1 i've set up the database, also dial up admin.. in the past ive used radius + pgsql and some home made scripts but thats history since postgres gave me a lot o headache. What i have is an /etc/passwd full of users and an old radius user file that looks like this : acighi Auth-Type = System Service-Type = Framed-User, Framed-Protocol = PPP adriana.nebela Auth-Type = System Service-Type = Framed-User, Framed-Protocol = PPP adrianturcasAuth-Type = System Service-Type = Framed-User, Framed-Protocol = PPP I want to port all these users onto freeradius (latest), and be able to account/manage them with dialup_admin + mysql whats the best way to aproach this, ive been failing at doing this... thnx Bogdan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd and users file
Bogdan Rosu [EMAIL PROTECTED] wrote: Ok i'm new to this im sittig here for the 2nd day with my teeth in deep radius... compiled installed on a Red Hat 6.1 i've set up the database, also dial up admin.. in the past ive used radius + pgsql and some home made scripts but thats history since postgres gave me a lot o headache. If you're not familiar with RADIUS, then don't set up a complicated configuration at the start. Read the FAQ, follow the examples, and work from there. What i have is an /etc/passwd full of users and an old radius user file that looks like this : acighi Auth-Type = System Service-Type = Framed-User, Framed-Protocol = PPP That looks somewhat reasonable. whats the best way to aproach this, ive been failing at doing this... And the output of debugging mode is... ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd and users file
Ok i managed to get it on it's feet, now what i am asking is is there a way/script to add users with the dial_upadmin frontend (username / pass) but then to have them in the users file aswell in the systems passwd/shadow so then i cand use the System Auth? Dunno if i spelled that corectly, of if it makes sense, anyhow the script that comes with freeradius to add users from the users file to mysql doesent work for me :(. Reason: inserting robcon into usergroup table as member of dynamic DBD::mysql::db do failed: You have an error in your SQL syntax near '`usergroup` SET `UserName`='robcon',`GroupName`='dynamic'' at line 1 at ./users2mysql.pl line 98, USERS chunk 837. inserting Simultaneous-Use, 1 for robcon in radcheck ... Thnx Bogdan On Fri, 13 Dec 2002, Alan DeKok wrote: Bogdan Rosu [EMAIL PROTECTED] wrote: Ok i'm new to this im sittig here for the 2nd day with my teeth in deep radius... compiled installed on a Red Hat 6.1 i've set up the database, also dial up admin.. in the past ive used radius + pgsql and some home made scripts but thats history since postgres gave me a lot o headache. If you're not familiar with RADIUS, then don't set up a complicated configuration at the start. Read the FAQ, follow the examples, and work from there. What i have is an /etc/passwd full of users and an old radius user file that looks like this : acighi Auth-Type = System Service-Type = Framed-User, Framed-Protocol = PPP That looks somewhat reasonable. whats the best way to aproach this, ive been failing at doing this... And the output of debugging mode is... ? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd and users file
Bogdan Rosu [EMAIL PROTECTED] wrote: Ok i managed to get it on it's feet, now what i am asking is is there a way/script to add users with the dial_upadmin frontend (username / pass) but then to have them in the users file aswell in the systems passwd/shadow so then i cand use the System Auth? Huh? If the users are listed in /etc/passwd, then you don't have to add them to the 'users' file. Read the default 'users' file shipped with the server. It authenticates *anyone* in /etc/passwd. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (2) Can LDAP be used to authenticate /etc/passwd ?
one more time: eap/md5 will not (can not) work with the information available in the /etc/passwd and shadow. Sarick wrote: Hi, Thanks all of the advice. Now I know what LDAP does. :-) Basically, my ambition is to make a 802.1x EAP-MD5 authentication. And the users info required for authentication (i.e., username and passwd) can correspond to the accounts on my Linux server. Therefore, I won't need to key in all of the users info again but just obtained from Linux. (my original thought is to obtain from /etc/passwd and /etc/shadow) But I have no idea whether I can do it or how I can do it. Can I just convert the /etc/passwd and /etc/shadow into LDAP database? How? Or it is no way to do this? Sarick - Original Message - From: Artur Hecker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 05, 2002 8:56 AM Subject: Re: (2) Can LDAP be used to authenticate /etc/passwd ? hi evren: all that is useless - EAP-MD5 will need clear-text passwords. /etc/passwd or shadow or whatsoever only stores a hash of it. it is not going to work anyway. a propos, sarick: the original question is a big strange mixture of available incompatible techniques. you store your radius-related users EITHER in the LDAP OR in the /etc/passwd OR somewhere else, and not just somewhere. an LDAP database is NOT a text file which /etc/passwd obviously is. and ming-bogglingly enough all this has nothing to do with radius! and even more confusing: the EAP-MD5 is pretty much CHAP in its centralized EAP form and CHAP needs clear-text passwords and exactly those are actually hashed (=not clear-text) in the file you are talking about. what the hell do you want to do? ciao artur ps your question basically was: can i buy a cadillac that knows how to drive a chevy? and can all this fly to the moon? Evren Yurtesen wrote: or actually if you can keep the /etc/passwd /etc/shadow syncronised with LDAP that would also do the trick. Perhaps with a script you can convert /etc/passwd /etc/shadow into LDAP or only the changed accounts etc. or even syncronise the add/remove user functions both in LDAP and in system files. Evren On Wed, 4 Dec 2002, Simon White wrote: 04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : Hi Simon, - Original Message - From: Simon White [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 04, 2002 7:23 PM Subject: Re: Can LDAP be used to authenticate /etc/passwd ? 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : Hi all, Can the LDAP be used to authenticate a user whose username and password is stored in /etc/passwd?? How is the LDAP server going to read the username in /etc/passwd? Passwords are not stored in /etc/passwd, just usernames. Passwords are usually in /etc/shadow, YMMV yes. My question is, can I use LDAP to authenticate the users who having the accounts on Linux , with EAP-MD5 authentication? That is, to read the usernames from /etc/passwd and passwords from /etc/shadow. How? You can't. You can store the hashes that are in shadow in LDAP probably. I think, however, that your approach is probably wrong. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (2) Can LDAP be used to authenticate /etc/passwd ?
Hi Hecker, I do know that EAP-MD5 is only capable of authenticating with plain text info. And now I know that to authenticate with the accounts on Linux server will need additional database setup for users. It is impossible to obtain user info from original Linux server. Thanks Sarick - Original Message - From: Artur Hecker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 05, 2002 7:20 PM Subject: Re: (2) Can LDAP be used to authenticate /etc/passwd ? one more time: eap/md5 will not (can not) work with the information available in the /etc/passwd and shadow. Sarick wrote: Hi, Thanks all of the advice. Now I know what LDAP does. :-) Basically, my ambition is to make a 802.1x EAP-MD5 authentication. And the users info required for authentication (i.e., username and passwd) can correspond to the accounts on my Linux server. Therefore, I won't need to key in all of the users info again but just obtained from Linux. (my original thought is to obtain from /etc/passwd and /etc/shadow) But I have no idea whether I can do it or how I can do it. Can I just convert the /etc/passwd and /etc/shadow into LDAP database? How? Or it is no way to do this? Sarick - Original Message - From: Artur Hecker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 05, 2002 8:56 AM Subject: Re: (2) Can LDAP be used to authenticate /etc/passwd ? hi evren: all that is useless - EAP-MD5 will need clear-text passwords. /etc/passwd or shadow or whatsoever only stores a hash of it. it is not going to work anyway. a propos, sarick: the original question is a big strange mixture of available incompatible techniques. you store your radius-related users EITHER in the LDAP OR in the /etc/passwd OR somewhere else, and not just somewhere. an LDAP database is NOT a text file which /etc/passwd obviously is. and ming-bogglingly enough all this has nothing to do with radius! and even more confusing: the EAP-MD5 is pretty much CHAP in its centralized EAP form and CHAP needs clear-text passwords and exactly those are actually hashed (=not clear-text) in the file you are talking about. what the hell do you want to do? ciao artur ps your question basically was: can i buy a cadillac that knows how to drive a chevy? and can all this fly to the moon? Evren Yurtesen wrote: or actually if you can keep the /etc/passwd /etc/shadow syncronised with LDAP that would also do the trick. Perhaps with a script you can convert /etc/passwd /etc/shadow into LDAP or only the changed accounts etc. or even syncronise the add/remove user functions both in LDAP and in system files. Evren On Wed, 4 Dec 2002, Simon White wrote: 04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : Hi Simon, - Original Message - From: Simon White [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 04, 2002 7:23 PM Subject: Re: Can LDAP be used to authenticate /etc/passwd ? 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : Hi all, Can the LDAP be used to authenticate a user whose username and password is stored in /etc/passwd?? How is the LDAP server going to read the username in /etc/passwd? Passwords are not stored in /etc/passwd, just usernames. Passwords are usually in /etc/shadow, YMMV yes. My question is, can I use LDAP to authenticate the users who having the accounts on Linux , with EAP-MD5 authentication? That is, to read the usernames from /etc/passwd and passwords from /etc/shadow. How? You can't. You can store the hashes that are in shadow in LDAP probably. I think, however, that your approach is probably wrong. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker Groupe Accès et Mobilité hecker[at]enst[dot]fr Département Informatique et Réseaux +33 1 45 81 7507 46, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.frENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (2) Can LDAP be used to authenticate /etc/passwd ?
05-Dec-02 at 20:23, Sarick ([EMAIL PROTECTED]) wrote : Hi Hecker, I do know that EAP-MD5 is only capable of authenticating with plain text info. And now I know that to authenticate with the accounts on Linux server will need additional database setup for users. It is impossible to obtain user info from original Linux server. By copying /etc/passwd and /etc/shadow onto another machine with the same password hash mechanism, you can have the users on another system. Otherwise, you can get the usernames from the /etc/passwd file and you have to recreate passwords. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can LDAP be used to authenticate /etc/passwd ?
Hi all, Can the LDAP be used to authenticate a user whose username and password is stored in /etc/passwd?? And can this authentication use EAP-MD5 ? Regards Sarick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can LDAP be used to authenticate /etc/passwd ?
04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : Hi all, Can the LDAP be used to authenticate a user whose username and password is stored in /etc/passwd?? How is the LDAP server going to read the username in /etc/passwd? Passwords are not stored in /etc/passwd, just usernames. Passwords are usually in /etc/shadow, YMMV -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can LDAP be used to authenticate /etc/passwd ?
Hi Simon, - Original Message - From: Simon White [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 04, 2002 7:23 PM Subject: Re: Can LDAP be used to authenticate /etc/passwd ? 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : Hi all, Can the LDAP be used to authenticate a user whose username and password is stored in /etc/passwd?? How is the LDAP server going to read the username in /etc/passwd? Passwords are not stored in /etc/passwd, just usernames. Passwords are usually in /etc/shadow, YMMV yes. My question is, can I use LDAP to authenticate the users who having the accounts on Linux , with EAP-MD5 authentication? That is, to read the usernames from /etc/passwd and passwords from /etc/shadow. How? Sarick -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can LDAP be used to authenticate /etc/passwd ?
04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : Hi Simon, - Original Message - From: Simon White [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 04, 2002 7:23 PM Subject: Re: Can LDAP be used to authenticate /etc/passwd ? 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : Hi all, Can the LDAP be used to authenticate a user whose username and password is stored in /etc/passwd?? How is the LDAP server going to read the username in /etc/passwd? Passwords are not stored in /etc/passwd, just usernames. Passwords are usually in /etc/shadow, YMMV yes. My question is, can I use LDAP to authenticate the users who having the accounts on Linux , with EAP-MD5 authentication? That is, to read the usernames from /etc/passwd and passwords from /etc/shadow. How? You can't. You can store the hashes that are in shadow in LDAP probably. I think, however, that your approach is probably wrong. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can LDAP be used to authenticate /etc/passwd ?
You can perhaps use some kind of script to transfer /etc/passwd and /etc/shadow into LDAP and then use PAM to authenticate all your linux users from LDAP database. Also when you add new users you can add to ldap and create directories in linux (with a script perhaps). This way you can get rid of the whole /etc/passwd and /etc/shadow files at the same time so you dont have to deal with 2 things. But then you should find a sendmail which is patched to support LDAP,PAM etc. and your pop3,imap servers should support PAM or LDAP too also all your programs like apache etc. should somehow find users from LDAP. I tried to do this once but then I thought what the hell, too much work for having an LDAP database. FreeBSD already keeps users in DB so this wont improve performance at all. That was also when I decided LDAP sucks little bit =) Although it is easier to reach to a database like LDAP or MySQL from anywhere you like. Evren On Wed, 4 Dec 2002, Simon White wrote: 04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : Hi Simon, - Original Message - From: Simon White [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 04, 2002 7:23 PM Subject: Re: Can LDAP be used to authenticate /etc/passwd ? 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : Hi all, Can the LDAP be used to authenticate a user whose username and password is stored in /etc/passwd?? How is the LDAP server going to read the username in /etc/passwd? Passwords are not stored in /etc/passwd, just usernames. Passwords are usually in /etc/shadow, YMMV yes. My question is, can I use LDAP to authenticate the users who having the accounts on Linux , with EAP-MD5 authentication? That is, to read the usernames from /etc/passwd and passwords from /etc/shadow. How? You can't. You can store the hashes that are in shadow in LDAP probably. I think, however, that your approach is probably wrong. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:(2) Can LDAP be used to authenticate /etc/passwd ?
or actually if you can keep the /etc/passwd /etc/shadow syncronised with LDAP that would also do the trick. Perhaps with a script you can convert /etc/passwd /etc/shadow into LDAP or only the changed accounts etc. or even syncronise the add/remove user functions both in LDAP and in system files. Evren On Wed, 4 Dec 2002, Simon White wrote: 04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : Hi Simon, - Original Message - From: Simon White [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 04, 2002 7:23 PM Subject: Re: Can LDAP be used to authenticate /etc/passwd ? 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : Hi all, Can the LDAP be used to authenticate a user whose username and password is stored in /etc/passwd?? How is the LDAP server going to read the username in /etc/passwd? Passwords are not stored in /etc/passwd, just usernames. Passwords are usually in /etc/shadow, YMMV yes. My question is, can I use LDAP to authenticate the users who having the accounts on Linux , with EAP-MD5 authentication? That is, to read the usernames from /etc/passwd and passwords from /etc/shadow. How? You can't. You can store the hashes that are in shadow in LDAP probably. I think, however, that your approach is probably wrong. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho does not show nas short name + additional question about external passwd check
Kliment Toshkov [EMAIL PROTECTED] wrote: Exec-Program-Wait should work... Well, it works fine and passess AV pairs exactly as before. Then I don't understand why the external check fails... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can LDAP be used to authenticate /etc/passwd ?
jmc_cs [EMAIL PROTECTED] wrote: yes. My question is, can I use LDAP to authenticate the users who having the accounts on Linux , with EAP-MD5 authentication? Your question makes no sense. LDAP is a database. It doesn't do authentication. That is, to read the usernames from /etc/passwd and passwords from /etc/shadow. Uh... the server comes configured to do that. Did you try it? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (2) Can LDAP be used to authenticate /etc/passwd ?
hi evren: all that is useless - EAP-MD5 will need clear-text passwords. /etc/passwd or shadow or whatsoever only stores a hash of it. it is not going to work anyway. a propos, sarick: the original question is a big strange mixture of available incompatible techniques. you store your radius-related users EITHER in the LDAP OR in the /etc/passwd OR somewhere else, and not just somewhere. an LDAP database is NOT a text file which /etc/passwd obviously is. and ming-bogglingly enough all this has nothing to do with radius! and even more confusing: the EAP-MD5 is pretty much CHAP in its centralized EAP form and CHAP needs clear-text passwords and exactly those are actually hashed (=not clear-text) in the file you are talking about. what the hell do you want to do? ciao artur ps your question basically was: can i buy a cadillac that knows how to drive a chevy? and can all this fly to the moon? Evren Yurtesen wrote: or actually if you can keep the /etc/passwd /etc/shadow syncronised with LDAP that would also do the trick. Perhaps with a script you can convert /etc/passwd /etc/shadow into LDAP or only the changed accounts etc. or even syncronise the add/remove user functions both in LDAP and in system files. Evren On Wed, 4 Dec 2002, Simon White wrote: 04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : Hi Simon, - Original Message - From: Simon White [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 04, 2002 7:23 PM Subject: Re: Can LDAP be used to authenticate /etc/passwd ? 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : Hi all, Can the LDAP be used to authenticate a user whose username and password is stored in /etc/passwd?? How is the LDAP server going to read the username in /etc/passwd? Passwords are not stored in /etc/passwd, just usernames. Passwords are usually in /etc/shadow, YMMV yes. My question is, can I use LDAP to authenticate the users who having the accounts on Linux , with EAP-MD5 authentication? That is, to read the usernames from /etc/passwd and passwords from /etc/shadow. How? You can't. You can store the hashes that are in shadow in LDAP probably. I think, however, that your approach is probably wrong. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: (2) Can LDAP be used to authenticate /etc/passwd ?
Hi, Thanks all of the advice. Now I know what LDAP does. :-) Basically, my ambition is to make a 802.1x EAP-MD5 authentication. And the users info required for authentication (i.e., username and passwd) can correspond to the accounts on my Linux server. Therefore, I won't need to key in all of the users info again but just obtained from Linux. (my original thought is to obtain from /etc/passwd and /etc/shadow) But I have no idea whether I can do it or how I can do it. Can I just convert the /etc/passwd and /etc/shadow into LDAP database? How? Or it is no way to do this? Sarick - Original Message - From: Artur Hecker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, December 05, 2002 8:56 AM Subject: Re: (2) Can LDAP be used to authenticate /etc/passwd ? hi evren: all that is useless - EAP-MD5 will need clear-text passwords. /etc/passwd or shadow or whatsoever only stores a hash of it. it is not going to work anyway. a propos, sarick: the original question is a big strange mixture of available incompatible techniques. you store your radius-related users EITHER in the LDAP OR in the /etc/passwd OR somewhere else, and not just somewhere. an LDAP database is NOT a text file which /etc/passwd obviously is. and ming-bogglingly enough all this has nothing to do with radius! and even more confusing: the EAP-MD5 is pretty much CHAP in its centralized EAP form and CHAP needs clear-text passwords and exactly those are actually hashed (=not clear-text) in the file you are talking about. what the hell do you want to do? ciao artur ps your question basically was: can i buy a cadillac that knows how to drive a chevy? and can all this fly to the moon? Evren Yurtesen wrote: or actually if you can keep the /etc/passwd /etc/shadow syncronised with LDAP that would also do the trick. Perhaps with a script you can convert /etc/passwd /etc/shadow into LDAP or only the changed accounts etc. or even syncronise the add/remove user functions both in LDAP and in system files. Evren On Wed, 4 Dec 2002, Simon White wrote: 04-Dec-02 at 20:23, jmc_cs ([EMAIL PROTECTED]) wrote : Hi Simon, - Original Message - From: Simon White [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 04, 2002 7:23 PM Subject: Re: Can LDAP be used to authenticate /etc/passwd ? 04-Dec-02 at 19:12, Sarick ([EMAIL PROTECTED]) wrote : Hi all, Can the LDAP be used to authenticate a user whose username and password is stored in /etc/passwd?? How is the LDAP server going to read the username in /etc/passwd? Passwords are not stored in /etc/passwd, just usernames. Passwords are usually in /etc/shadow, YMMV yes. My question is, can I use LDAP to authenticate the users who having the accounts on Linux , with EAP-MD5 authentication? That is, to read the usernames from /etc/passwd and passwords from /etc/shadow. How? You can't. You can store the hashes that are in shadow in LDAP probably. I think, however, that your approach is probably wrong. -- |-Simon White, Internet Services Manager, Certified Check Point CCSA. |-MTDS Internet, Security, Anti-Virus, Linux and Hosting Solutions. |-MTDS 14, rue du 16 novembre, Agdal, Rabat, Morocco. |-MTDS tel +212.3.767.4861 - fax +212.3.767.4863 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho does not show nas short name + additional question about external passwd check
Information about each NAS is stored in SQL database. All scripts supporting
that large ISP are total size of 10KB. Not a lot of work at least for me.
Anyway, I have another question: After upgrading 0.5 to 0.8 I have kept all
configuration files. First there was an error reported about acct_users,
some error with syntax ?! I have fixed it by editing the file and saving it.
Most important thing for me is that users whose accounts are in external
password/shadow files are not allowed access anymore with reason: Access
denied (external check failed).
(please keep in mind that this configuration works with 0.5 for 7 months)
Users file is as follows:
marty Auth-Type := System
Fall-Through = 1
[lots of old accounts not included in SQL db]
DEFAULT
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-MTU = 1500,
Framed-Routing = 0,
Framed-Compression = Van-Jacobson-TCP-IP,
Idle-Timeout = 3600,
Exec-Program-Wait = /usr/local/icard/auth-start %u %n
%{Called-Station-Id},
Fall-Through = 1
Maybe there is something changed in 0.8 I am not aware of?
shadow, password and group files location is described in unix {} module of
radiusd.conf
server is RedHat 7.x (or something similar :), MySQL 3.23.49a (which is not
important regarding this question).
Please advise.
PS. Alan, I choosed billing in realtime because this it's more accurate
handling sesions which cover more than one time zone and reduces the
possibility of data loss (hardware failure, etc.)
---
Technical Director of VIKET NetWorks
web/mail: www.viket.net; [EMAIL PROTECTED]
gsm/gsm2: +359 88 803280; +359 87 800743
- Original Message -
From: Alan DeKok [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, December 03, 2002 7:16 PM
Subject: Re: radwho does not show nas short name
Kliment Toshkov [EMAIL PROTECTED] wrote:
60 NASes located in diferent cities across country. Different time zones
and
discounts for every NAS.
For me billing in realtime (every minute) based on location (NAS) is
best
solution.
It's a lot of work, and completely unnecessary. You can put the
accounting information from each NAS into a NAS-specific 'detail'
file, and then process that every hour or so. It's *exactly* the same
as what you're doing now, but a LOT less work.
There's NO need to do accounting every minute.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho does not show nas short name + additional question about external passwd check
Kliment Toshkov [EMAIL PROTECTED] wrote: Anyway, I have another question: After upgrading 0.5 to 0.8 I have kept all configuration files. First there was an error reported about acct_users, some error with syntax ?! I have fixed it by editing the file and saving it. Knowing the error would help to fix the problem. Most important thing for me is that users whose accounts are in external password/shadow files are not allowed access anymore with reason: Access denied (external check failed). Hmm... Maybe there is something changed in 0.8 I am not aware of? Exec-Program-Wait should work... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwho does not show nas short name + additional question about external passwd check
Anyway, I have another question: After upgrading 0.5 to 0.8 I have kept all configuration files. First there was an error reported about acct_users, some error with syntax ?! I have fixed it by editing the file and saving it. Knowing the error would help to fix the problem. First error was... something about missing something : Most important thing for me is that users whose accounts are in external password/shadow files are not allowed access anymore with reason: Access denied (external check failed). Hmm... Most important for me is what you answered with Hmm. Please help - configuration is not altered in any was but it does not work anymore (except SQL authorization). Maybe there is something changed in 0.8 I am not aware of? Exec-Program-Wait should work... Well, it works fine and passess AV pairs exactly as before. --- Technical Director of VIKET NetWorks web/mail: www.viket.net; [EMAIL PROTECTED] gsm/gsm2: +359 88 803280; +359 87 800743 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to use unix /etc/passwd to authenticate users through AP ?
Hi:
I want to use unix account (/etc/passwd) to authenticate
users. But I don't know how to generate
packets with [Auth-Type := System] from user.
This is my configuration files:
--
radiusd.conf
unix
{
#.
# Cache /etc/passwd, /etc/shadow, and
/etc/group
# allowed values: {no,
yes}
cache =
yes
#
# Reload the cache every 600 seconds (10mins). 0 to
disable.
cache_reload =
600
#.
# This is required for some systems, like
FreeBSD,
# and Mac
OSX.
#
passwd =
/etc/passwd
shadow =
/etc/shadow
group = /etc/group
#...
radwtmp
= ${logdir}/radwtmp}
-
users-
DEFAULT Auth-Type := System
Fall-Through = Yes
Users are mobile nodes and a NAS is an AP in our
testbed.
Please help me. Thanks a lot!
Tim Liu
Regards
Re[4]: Problem: authenticate with /etc/passwd users
Dear Sarick,
Any challenge-response based authentication can't work with crypted
password. One and only exception is NT password which can be used for
MS-CHAP v1/2 authentication.
--Monday, November 25, 2002, 2:07:32 PM, you wrote to [EMAIL PROTECTED]:
S Hi, firstly thanks your quick response. :-)
S - Original Message -
S From: 3APA3A [EMAIL PROTECTED]
S To: Sarick [EMAIL PROTECTED]
S Cc: [EMAIL PROTECTED]
S Sent: Monday, November 25, 2002 6:50 PM
S Subject: Re[2]: Problem: authenticate with /etc/passwd users
Dear Sarick,
In your case problem is you try to use crypyted passwords with EAP/md5.
For EAP/md5 you need cleartext password.
S So, what should I do if I want to use the crypted passwords?
S Should I make the rlm_passwd module?
S How should I config it?
S My ambition is to make a 802.1x authentication. Authentication messages from
S authenticating
S supplicant (client) be in EAP format (I use /EAP-MD5).
S And user-names and user-passwords can be derived from the /etc/passwd file.
S Therefore, I don't have to maintain
S the ./raddb/users file too constantly.
S Below is my radiusd.conf for EAP section:--
S # For all EAP related authentications
S eap {
S # Invoke the default supported EAP type when
S # EAP-Identity response is received
S default_eap_type = md5
S # Default expiry time to clean the EAP list,
S # It is maintained to co-relate the
S # EAP-response for each EAP-request sent.
S timer_expire = 60
S # Supported EAP-types
S md5 {
S }
S #Skip
S ## EAP-TLS is highly experimental EAP-Type at the moment.
S # Please give feedback on the mailing list.
S #tls {
S # private_key_password = password
S # private_key_file = /path/filename
S mschap {
S # Location of the SAMBA passwd file
S # passwd = /etc/smbpasswd
S # authtype value, if present, will be used
S # to overwrite (or add) Auth-Type during
S # authorization. Normally should be MS-CHAP
S authtype = MS-CHAP
--
~/ZARAZA
Íåïðèÿòíîñòè íà÷íóòñÿ â âîñåìü. (Òâåí)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to use unix /etc/passwd to authenticate users through AP ?
Yi-Wen Liu [EMAIL PROTECTED] wrote: I want to use unix account (/etc/passwd) to authenticate users. But = I don't know how to generate=20 packets with [Auth-Type :=3D System] from user. You don't. The default configuration shipped with the server makes it authenticate against the passwd file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem: authenticate with /etc/passwd users
Hi:
I am using Linux RedHat 7.3.
Did I make the configuration wrong?
Regards
Sarick
- Original Message -
From: 3APA3A [EMAIL PROTECTED]
To: Sarick [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, November 25, 2002 6:15 PM
Subject: Re: Problem: authenticate with /etc/passwd users
Dear Sarick,
If you use BSD style OS this configuration is incorrect.
See doc/rlm_passwd on how to use password files in general case.
--Monday, November 25, 2002, 1:01:18 PM, you wrote to
[EMAIL PROTECTED]:
S Hi,
S Since I want to allow the users in the /etc/passwd file to authenticate
with
S this radius server.
S Below is my radiusd.conf:--
S unix {
S #.
S # Cache /etc/passwd, /etc/shadow, and /etc/group
S # allowed values: {no, yes}
S cache = yes
S #
S # Reload the cache every 600 seconds (10mins). 0 to
disable.
S cache_reload = 600
S #.
S # This is required for some systems, like FreeBSD,
S # and Mac OSX.
S #
S passwd = /etc/passwd
S shadow = /etc/shadow
S group = /etc/group
S authenticate {
S # password can be clear-text, or encrypted...
S authtype PAP {
S pap
S }
S # Most people want CHAP authentication...
S authtype CHAP {
S chap
S }
S # MSCHAP authentication.
S authtype MS-CHAP {
S mschap
S }
S # pam
S # against /etc/passwd! See the FAQ for details.
S #
S unix
S
S Then, I try to authenticate the radius server, but failed with the
followin
S messages:
S
S modcall: entering group authenticate
S rlm_eap: Request found, released from the list
S rlm_eap: EAP_TYPE - md5
S rlm_eap: processing type md5
S rlm_eap_md5: No password configured for this user
S modcall[authenticate]: module eap returns invalid
S modcall: group authenticate returns invalid
S auth: Failed to validate the user.
S ---
S I did add the user in the /etc/passwd by useradd and passwd
command.
S Please help me. How can I solve this problem?
S (I can successfully authenticate with the users in ./raddb/users.)
S How can I authenticate the users in /etc/passwd?
S -
S List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
~/ZARAZA
ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: Problem: authenticate with /etc/passwd users
Dear Sarick,
In your case problem is you try to use crypyted passwords with EAP/md5.
For EAP/md5 you need cleartext password.
--Monday, November 25, 2002, 1:30:10 PM, you wrote to [EMAIL PROTECTED]:
S Hi:
S I am using Linux RedHat 7.3.
S Did I make the configuration wrong?
S Regards
S Sarick
S - Original Message -
S From: 3APA3A [EMAIL PROTECTED]
S To: Sarick [EMAIL PROTECTED]
S Cc: [EMAIL PROTECTED]
S Sent: Monday, November 25, 2002 6:15 PM
S Subject: Re: Problem: authenticate with /etc/passwd users
Dear Sarick,
If you use BSD style OS this configuration is incorrect.
See doc/rlm_passwd on how to use password files in general case.
--Monday, November 25, 2002, 1:01:18 PM, you wrote to
S [EMAIL PROTECTED]:
S Hi,
S Since I want to allow the users in the /etc/passwd file to authenticate
S with
S this radius server.
S Below is my radiusd.conf:--
S unix {
S #.
S # Cache /etc/passwd, /etc/shadow, and /etc/group
S # allowed values: {no, yes}
S cache = yes
S #
S # Reload the cache every 600 seconds (10mins). 0 to
S disable.
S cache_reload = 600
S #.
S # This is required for some systems, like FreeBSD,
S # and Mac OSX.
S #
S passwd = /etc/passwd
S shadow = /etc/shadow
S group = /etc/group
S authenticate {
S # password can be clear-text, or encrypted...
S authtype PAP {
S pap
S }
S # Most people want CHAP authentication...
S authtype CHAP {
S chap
S }
S # MSCHAP authentication.
S authtype MS-CHAP {
S mschap
S }
S # pam
S # against /etc/passwd! See the FAQ for details.
S #
S unix
S
S Then, I try to authenticate the radius server, but failed with the
S followin
S messages:
S
S modcall: entering group authenticate
S rlm_eap: Request found, released from the list
S rlm_eap: EAP_TYPE - md5
S rlm_eap: processing type md5
S rlm_eap_md5: No password configured for this user
S modcall[authenticate]: module eap returns invalid
S modcall: group authenticate returns invalid
S auth: Failed to validate the user.
S ---
S I did add the user in the /etc/passwd by useradd and passwd
S command.
S Please help me. How can I solve this problem?
S (I can successfully authenticate with the users in ./raddb/users.)
S How can I authenticate the users in /etc/passwd?
S -
S List info/subscribe/unsubscribe? See
S http://www.freeradius.org/list/users.html
--
~/ZARAZA
ÝÍÈÀÊàì - ïî ìîðäå! (Ëåì)
--
~/ZARAZA
Æàëî ìíå íå ïîíàäîáèòñÿ (Ñ. Ëåì)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: Problem: authenticate with /etc/passwd users
Hi, firstly thanks your quick response. :-)
- Original Message -
From: 3APA3A [EMAIL PROTECTED]
To: Sarick [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Monday, November 25, 2002 6:50 PM
Subject: Re[2]: Problem: authenticate with /etc/passwd users
Dear Sarick,
In your case problem is you try to use crypyted passwords with EAP/md5.
For EAP/md5 you need cleartext password.
So, what should I do if I want to use the crypted passwords?
Should I make the rlm_passwd module?
How should I config it?
My ambition is to make a 802.1x authentication. Authentication messages from
authenticating
supplicant (client) be in EAP format (I use /EAP-MD5).
And user-names and user-passwords can be derived from the /etc/passwd file.
Therefore, I don't have to maintain
the ./raddb/users file too constantly.
Below is my radiusd.conf for EAP section:--
# For all EAP related authentications
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received
default_eap_type = md5
# Default expiry time to clean the EAP list,
# It is maintained to co-relate the
# EAP-response for each EAP-request sent.
timer_expire = 60
# Supported EAP-types
md5 {
}
#Skip
## EAP-TLS is highly experimental EAP-Type at the moment.
# Please give feedback on the mailing list.
#tls {
# private_key_password = password
# private_key_file = /path/filename
mschap {
# Location of the SAMBA passwd file
# passwd = /etc/smbpasswd
# authtype value, if present, will be used
# to overwrite (or add) Auth-Type during
# authorization. Normally should be MS-CHAP
authtype = MS-CHAP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User/passwd in the log
On Thu, 2002-10-17 at 23:50, Jean-Paul Chapalain wrote:
Hi all,
I've a problem with log because there is Usr/passwd in trhe log.
Wow ('wow' backwards, even) - you must win some sorta prize for that
one...
Did you even know there's a config file? Hint: /path/to/radiusd.conf
There's *no* chance of me telling you which config variables :-/
--
Cheers,
Mattt. icq : 117539757
aboveNetworks www : www.above.nq4u.net
[EMAIL PROTECTED]jabber: [EMAIL PROTECTED]
What's got four legs and an arm? A happy Pit Bull...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User/passwd in the log
Hi all, I've a problem with log because there is Usr/passwd in trhe log. When i'm start radiusd like this : /opt/freeradius/sbin/radiusd In radius.log : Thu Oct 17 15:04:18 2002 : Auth: Login OK: [foo/foopwd] (from client r-test port 66 cli 10.154.99.1) Thu Oct 17 15:04:26 2002 : Auth: Login OK: [$enab15$/superuser] (from client r-test port 66 cli 10.154.99.1) It's important for me to suppress this information of the log. Thank for help. -- * Jean-Paul Chapalain - Reseaux et Systemes Distribues * * Groupement Informatique Credit Mutuel* * Tel : +33 298002873 Fax : +33 298284005 * * mailto : [EMAIL PROTECTED] * smime.p7s Description: S/MIME Cryptographic Signature
Re: User/passwd in the log
I don't see anythink in radiusd.conf about logging user/passwd.
In the Usage of radiusd there two option about this '-y' and '-z' but i
don't use there.
Usage: radiusd [-a acct_dir] [-d db_dir] [-l log_dir] [-i address] [-p
port] [-AcfnsSvXxyz]
Options:
-a acct_dir use accounting directory 'acct_dir'.
-A Log auth detail.
-d db_dir Use database directory 'db_dir'.
-f Run as a foreground process, not a daemon.
-h Print this help message.
-i address Listen only in the given IP address.
-l log_dir Log messages to 'log_dir'. Special values are:
stdout == log all messages to standard output.
syslog == log all messages to the system logger.
-p port Bind to 'port', and not to the radius/udp, or 1646/udp.
-s Do not spawn child processes to handle requests.
-S Log stripped names.
-v Print server version information.
-X Turn on full debugging. (Means: -sfxxyz -l stdout)
-x Turn on partial debugging. (-xx gives more debugging).
-y Log authentication failures, with password.
-z Log authentication successes, with password.
Regards.
Mattt wrote:
On Thu, 2002-10-17 at 23:50, Jean-Paul Chapalain wrote:
Hi all,
I've a problem with log because there is Usr/passwd in trhe log.
Wow ('wow' backwards, even) - you must win some sorta prize for that
one...
Did you even know there's a config file? Hint: /path/to/radiusd.conf
There's *no* chance of me telling you which config variables :-/
--
* Jean-Paul Chapalain - Reseaux et Systemes Distribues *
* Groupement Informatique Credit Mutuel*
* Tel : +33 298002873 Fax : +33 298284005 *
* mailto : [EMAIL PROTECTED] *
smime.p7s
Description: S/MIME Cryptographic Signature
Re: User/passwd in the log
In radiusd.conf, set log_auth_goodpass to no.
Also, check http://www.theradiusbook.com for the sample chapter, which
lists most of the configuration directives inside radiusd.conf
(including this query). You might do well to become familiar with it.
Jonathan Hassell
Jonathan Hassell
Jean-Paul Chapalain wrote:
I don't see anythink in radiusd.conf about logging user/passwd.
In the Usage of radiusd there two option about this '-y' and '-z' but
i don't use there.
Usage: radiusd [-a acct_dir] [-d db_dir] [-l log_dir] [-i address] [-p
port] [-AcfnsSvXxyz]
Options:
-a acct_dir use accounting directory 'acct_dir'.
-A Log auth detail.
-d db_dir Use database directory 'db_dir'.
-f Run as a foreground process, not a daemon.
-h Print this help message.
-i address Listen only in the given IP address.
-l log_dir Log messages to 'log_dir'. Special values are:
stdout == log all messages to standard output.
syslog == log all messages to the system logger.
-p port Bind to 'port', and not to the radius/udp, or 1646/udp.
-s Do not spawn child processes to handle requests.
-S Log stripped names.
-v Print server version information.
-X Turn on full debugging. (Means: -sfxxyz -l stdout)
-x Turn on partial debugging. (-xx gives more debugging).
-y Log authentication failures, with password.
-z Log authentication successes, with password.
Regards.
Mattt wrote:
On Thu, 2002-10-17 at 23:50, Jean-Paul Chapalain wrote:
Hi all,
I've a problem with log because there is Usr/passwd in trhe log.
Wow ('wow' backwards, even) - you must win some sorta prize for that
one...
Did you even know there's a config file? Hint: /path/to/radiusd.conf
There's *no* chance of me telling you which config variables :-/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User/passwd in the log
Jean-Paul Chapalain [EMAIL PROTECTED] wrote: I don't see anythink in radiusd.conf about logging user/passwd. Then read it again. Try reading the 'radiusd.conf' file BEFORE you install it, as you may have an old version already installed. In the Usage of radiusd there two option about this '-y' and '-z' but i don't use there. Then you've got them enabled in the configuration file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache /etc/passwd, /etc/shadow, and /etc/group
Dear User for Free Radius mail list,
passwd file doesn't contain any passwords or hashes, so it's useless
without shadow.
If you store your passwords in plain text file format different from
linux passwd/shadow files consider to use rlm_passwd module. See
doc/rlm_passwd.
--Thursday, October 10, 2002, 5:11:15 AM, you wrote to
[EMAIL PROTECTED]:
UfFRml System = Linux with kernel 2.4.18
UfFRml In the radiusd.conf file:
UfFRml The Cache setup does not work if you do not use shadow passwords. If the
UfFRml shadow line is left at the default value: (ie commented out)
UfFRml To force the module to use the system password functions,
UfFRml # instead of reading the files, comment out the 'passwd'
UfFRml # and 'shadow' configuration entries. This is required
UfFRml # for some systems, like FreeBSD.
UfFRml #
UfFRml passwd = /etc/passwd
UfFRml # shadow = /etc/shadow
UfFRml Then you will get an error:
UfFRml Wed Oct 9 17:51:06 2002 : Info: HASH: Reinitializing hash structures
UfFRml and lists for caching...
UfFRml Wed Oct 9 17:51:06 2002 : Error: rlm_unix: You MUST specify a shadow
UfFRml password file!
UfFRml Wed Oct 9 17:51:06 2002 : Error: HASH: unable to create user hash table.
UfFRml disable caching and run debugs
UfFRml Wed Oct 9 17:51:06 2002 : Error: radiusd.conf[462]: unix: Module
UfFRml instantiation failed.
UfFRml If you say no to the cache option:
UfFRml# For FreeBSD, you do NOT want to enable the cache,
UfFRml # as it's password lookups are done via a database.
UfFRml #
UfFRml # allowed values: {no, yes}
UfFRml cache = no
UfFRml It loads up just fine.
UfFRml Is there something I'm missing or is the the default behavior of this
UfFRml setup?
UfFRml Thanks,
UfFRml Ken Rea
UfFRml -
UfFRml List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
~/ZARAZA
Òàêèì îáðàçîì ýòîò ïóòü äåøåâëå è ê íåìó ëåã÷å äîáðàòüñÿ
òîìó, êòî â ñîñòîÿíèè äî íåãî äîáðàòüñÿ. (Òâåí)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache /etc/passwd, /etc/shadow, and /etc/group
On Thu, 10 Oct 2002, 3APA3A wrote: passwd file doesn't contain any passwords or hashes, so it's useless without shadow. If you do not use shadow passwords it does keep encrypted passwords in the passwd file. Check your man pages man 5 passwd and you will see the second field Optional encrypted password. This is the way it was long before shadow passwords came about. The reason we do not use shadow passwords on this server is beyond the scope of this email. It would be nice to be able to cache this data for quick lookup. Thanks, Ken Rea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache /etc/passwd, /etc/shadow, and /etc/group
On Thursday 10 October 2002 13:27, User for Free Radius mail list wrote: On Thu, 10 Oct 2002, 3APA3A wrote: passwd file doesn't contain any passwords or hashes, so it's useless without shadow. If you do not use shadow passwords it does keep encrypted passwords in the passwd file. Check your man pages man 5 passwd and you will see the second field Optional encrypted password. This is the way it was long before shadow passwords came about. The reason we do not use shadow passwords on this server is beyond the scope of this email. It would be nice to be able to cache this data for quick lookup. Thanks, Ken Rea In the unix section of radiusd.conf, try the following: cache = yes password = /path/to/passwd shadow = /path/to/passwd If your passwd file contains encrypted passwords (i.e. no shadow file), then using the above should allow you to cache the data. We are currently using this method to allow different realms to have their own passwd files, and just assigning different Auth-Type's depending on the realm. We'll be moving to SQL auth shortly, but for the time being, this is working quite well for us. Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cache /etc/passwd, /etc/shadow, and /etc/group
Kevin, Thanks this works well. Thanks again, Ken Rea On Thu, 10 Oct 2002, Kevin Bonner wrote: In the unix section of radiusd.conf, try the following: cache = yes password = /path/to/passwd shadow = /path/to/passwd If your passwd file contains encrypted passwords (i.e. no shadow file), then using the above should allow you to cache the data. We are currently using this method to allow different realms to have their own passwd files, and just assigning different Auth-Type's depending on the realm. We'll be moving to SQL auth shortly, but for the time being, this is working quite well for us. Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cache /etc/passwd, /etc/shadow, and /etc/group
System = Linux with kernel 2.4.18
In the radiusd.conf file:
The Cache setup does not work if you do not use shadow passwords. If the
shadow line is left at the default value: (ie commented out)
To force the module to use the system password functions,
# instead of reading the files, comment out the 'passwd'
# and 'shadow' configuration entries. This is required
# for some systems, like FreeBSD.
#
passwd = /etc/passwd
# shadow = /etc/shadow
Then you will get an error:
Wed Oct 9 17:51:06 2002 : Info: HASH: Reinitializing hash structures
and lists for caching...
Wed Oct 9 17:51:06 2002 : Error: rlm_unix: You MUST specify a shadow
password file!
Wed Oct 9 17:51:06 2002 : Error: HASH: unable to create user hash table.
disable caching and run debugs
Wed Oct 9 17:51:06 2002 : Error: radiusd.conf[462]: unix: Module
instantiation failed.
If you say no to the cache option:
# For FreeBSD, you do NOT want to enable the cache,
# as it's password lookups are done via a database.
#
# allowed values: {no, yes}
cache = no
It loads up just fine.
Is there something I'm missing or is the the default behavior of this
setup?
Thanks,
Ken Rea
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Passwd expiration
Hi- We are experiencing problems configuring the Password-Expiration attribute using freeradius 0.6 communicating with an Ascend MAX2012, TAOS 7.2.4. Is the Password-Expiration item supposed to be set as a check or reply item / Which device is validating the expiration, the radiusd or the nas? What operand should be used? Thanks a bunch in advance. ralf -- --- Dipl.-Ing. Ralf Korczykowski Senior Consultant Systeme Netze ORDIX AG Westernmauer 12-13 D-33098 Paderborn Tel. 05251-1063-14 FAX. 05251-1063-99 Email: [EMAIL PROTECTED] http://www.ordix.de - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Passwd expiration
Hi- We are experiencing problems configuring the Password-Expiration attribute using freeradius 0.6 communicating with an Ascend MAX2012, TAOS 7.2.4. Is the Password-Expiration item supposed to be set as a check or reply item / Which device is validating the expiration, the radiusd or the nas? The attribute is Expiration and is a check item. What operand should be used? Thanks a bunch in advance. _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
specify shadow passwd file
Hi, I have downloaded freeradius-0.6. I tried to run radiusd -X -A and get the following message. unix: cache=yes unix: passwd = /etc/passed unix: shadow = (null) . . HASH: Reinitializing hash structures and lists for caching... rlm_unix: you MUST specify a shadow password file! HASH: unable to create uses hash table. disable caching and run debugs radiusd.conf[426]: unix: Module instantiation failed. Do you have to configure the Radius server before you run the deamon? How to specify the shadow password file. Thanks in advance. Augustine Augustine Tsai, Ph.D Multimedia Communication Research Room 2D-443 Lucent Technologies 600-700 Mountain Ave. Murray Hill, NJ 07974-0636 tel: 908-582-6519 fax: 908-582-3306 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: specify shadow passwd file
Augustine Tsai [EMAIL PROTECTED] wrote: HASH: unable to create uses hash table. disable caching and run debugs radiusd.conf[426]: unix: Module instantiation failed. Do you have to configure the Radius server before you run the deamon? Uh... no, it reads your mind... Yeah, that's it... How to specify the shadow password file. Read the configuration file? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: specify shadow passwd file
Do you have to configure the Radius server before you run the deamon? Nah; you can run the daemon any old time. Don't bother configuring it or reading the config or documentation files. They're there just to pad the download. You don't even have to bother compiling or untaring it to disk; just pipe the tar output to gcc and it'll run right in place! Vincent Giovannone Network Infrastructure Group Information Services Division Rush - Presbyterian St. Luke's Medical Center Pinball is a way of life. My way! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: specify shadow passwd file
Please read the comments is radiusd.conf: # 'shadow' is commented out by default, because not all # systems have shadow passwords. Uncomment: # shadow = /etc/shadow -Shawn On Thu, 18 Jul 2002, Augustine Tsai wrote: Hi, I have downloaded freeradius-0.6. I tried to run radiusd -X -A and get the following message. unix: cache=yes unix: passwd = /etc/passed unix: shadow = (null) . . HASH: Reinitializing hash structures and lists for caching... rlm_unix: you MUST specify a shadow password file! HASH: unable to create uses hash table. disable caching and run debugs radiusd.conf[426]: unix: Module instantiation failed. Do you have to configure the Radius server before you run the deamon? How to specify the shadow password file. Thanks in advance. Augustine Augustine Tsai, Ph.D Multimedia Communication Research Room 2D-443 Lucent Technologies 600-700 Mountain Ave. Murray Hill, NJ 07974-0636 tel: 908-582-6519 fax: 908-582-3306 [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Shawn K. O'Shea Sr. Unix Administrator DSL.net, Inc. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd / System auth not working
Hello All,
I took Andrew's advice on the 'cache = yes' parameter, but no joy. I
have included the radiusd -X debug output for your perusal.
Cheers,
Tom
Begin Debug Output
--
ahost# /usr/local/sbin/radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_auth = yes
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/log/radius/radiusd.pid
main: user = root
main: group = wheel
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = no
proxy: dead_time = 120
main: debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded System
unix: cache = yes
unix: passwd = /etc/passwd
unix: shadow = /etc/master.passwd
unix: group = /etc/group
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
HASH: Reinitializing hash structures and lists for caching...
HASH: Stored 23 entries from /etc/passwd
HASH: Stored 30 entries from /etc/group
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail
detail: detailperm = 384
detail: dirperm = 493
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host *removed*, id=72, length=64
User-Name = jdoe
Password = *removed*
Service-Type = 0
NAS-IP-Address = *removed*
NAS-Port = 1
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
modcall[authorize]: module suffix returns ok
users: Matched DEFAULT at 145
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type System
modcall: entering group authenticate
HASH: user jdoe found in hashtable bucket 93595
modcall[authenticate]: module unix returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
Login incorrect: [jdoe] (from nas UNKNOWN-NAS port 1)
Sending Access-Reject of id 72 to *removed*
Finished request 0
Going to the next request
Andrew Tait wrote:
Change it to cache = yes.
There is a bug in the non-caching code.
Andrew Tait
System Administrator
Country NetLink Pty, Ltd
E-Mail: [EMAIL PROTECTED]
WWW: http://www.cnl.com.au
30 Bank St Cobram, VIC 3644, Australia
Ph: +61 (03) 58 711 000
Fax: +61 (03) 58 711 874
It's the smell! If there is such a thing. Agent Smith - The Matrix
- Original Message -
From: Thomas Keitel [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, March 13, 2002 12:23 PM
Subject: Re: /etc/passwd / System auth not working
Hello Again,
Everything in the config is stock except for:
#
# Cache /etc/passwd, /etc/shadow, and /etc/group
#
# The default is to NOT cache them. However, caching
them can
# speed up system authentications by a substantial
amount.
#
# allowed values: {no, yes}
cache
Re: /etc/passwd / System auth not working
I am now running the snapshot from the 14th with exactly the same results: Still broken. Keep the ideas rolling in because I'll probably try them all! Cheers, Tom Alan DeKok wrote: Thomas Keitel [EMAIL PROTECTED] wrote: I took Andrew's advice on the 'cache = yes' parameter, but no joy. I have included the radiusd -X debug output for your perusal. Grab the latest CVS snapshot. It should work better... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd / System auth not working
Thomas Keitel [EMAIL PROTECTED] wrote: Mayhaps this should be added to the docs and/or the comments of the .conf file? Done. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/etc/passwd / System auth not working
Hello All, New to the list. I have the faq and googled this to tears but, I have having a hard time getting freeradius .4 to correctly auth users against the FreeBSD 4.5 passwd file. The password is correct and I am at a loss. Thanks, Tom radius.log: Message:Auth: rlm_unix : [jdoe]: invalid password Message:Auth: Login incorrect: [jdoe/jdspw] (from nas UNKOWN-NAS port 1) radiusd debug: modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module suffix returns ok users: Matched DEFAULT at 145 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate rlm_unix: [jdoe]: invalid password modcall[authenticate]: module unix returns reject modcall: group authenticate returns reject auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd / System auth not working
Are you running the server as root? Are you running without passwd and shadow set in the unix configuration block? Why don't you post your config file, and then I'll peruse the code to see what might be getting in the way if it is not a config error. -- Roy Hooper Project Manager Senior UNIX Consultant Decisive Technologies Inc. - Original Message - From: Thomas Keitel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, March 12, 2002 6:14 PM Subject: /etc/passwd / System auth not working Hello All, New to the list. I have the faq and googled this to tears but, I have having a hard time getting freeradius .4 to correctly auth users against the FreeBSD 4.5 passwd file. The password is correct and I am at a loss. Thanks, Tom radius.log: Message:Auth: rlm_unix : [jdoe]: invalid password Message:Auth: Login incorrect: [jdoe/jdspw] (from nas UNKOWN-NAS port 1) radiusd debug: modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module suffix returns ok users: Matched DEFAULT at 145 modcall[authorize]: module files returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type System modcall: entering group authenticate rlm_unix: [jdoe]: invalid password modcall[authenticate]: module unix returns reject modcall: group authenticate returns reject auth: Failed to validate the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: /etc/passwd / System auth not working
Hello Again,
Everything in the config is stock except for:
#
# Cache /etc/passwd, /etc/shadow, and /etc/group
#
# The default is to NOT cache them. However, caching
them can
# speed up system authentications by a substantial amount.
#
# allowed values: {no, yes}
cache = no
# Reload the cache every 600 seconds (10mins). 0 to disable.
cache_reload = 600
#
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
passwd = /etc/passwd
shadow = /etc/master.passwd
group = /etc/group
#
# Where the 'wtmp' file is located.
# This will be moved to it's own module soon..
#
radwtmp = ${logdir}/radwtmp
}
Switched to running radius as root, but is there a way to use system
auth w/o this? Perhaps running as username radius?
Thanks,
Tom
Roy Hooper wrote:
Are you running the server as root?
Are you running without passwd and shadow set in the unix configuration
block?
Why don't you post your config file, and then I'll peruse the code to see
what might be getting in the way if it is not a config error.
--
Roy Hooper
Project Manager Senior UNIX Consultant
Decisive Technologies Inc.
- Original Message -
From: Thomas Keitel [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, March 12, 2002 6:14 PM
Subject: /etc/passwd / System auth not working
Hello All,
New to the list. I have the faq and googled this to tears but, I have
having a hard time getting freeradius .4 to correctly auth users against
the FreeBSD 4.5 passwd file. The password is correct and I am at a loss.
Thanks,
Tom
radius.log:
Message:Auth: rlm_unix : [jdoe]: invalid password
Message:Auth: Login incorrect: [jdoe/jdspw] (from nas UNKOWN-NAS port 1)
radiusd debug:
modcall: entering group authorize
modcall[authorize]: module preprocess returns ok
modcall[authorize]: module suffix returns ok
users: Matched DEFAULT at 145
modcall[authorize]: module files returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type System
modcall: entering group authenticate
rlm_unix: [jdoe]: invalid password
modcall[authenticate]: module unix returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I can't authenticate using /etc/passwd file
Hello, I am new to radius but i have been able to set it up to work, the funny thing is i can authenticate with the passwd file if i dont have a Default entry point to sql. As soon as i do that i can authenticate users in mysql database but cannot authenticate users in passwd file. Below is an extract of my user file and the result with radtest. what am i doing wrong DEFAULT Auth-Type += System Fall-Through = Yes DEFAULT AUTH-Type := sql, Simultaneous-Use := 1 Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-MTU = 1500, Fall-Through = Yes user in passwd file = bash-2.03# radtest nana nana mantse-1 1645 qwer Sending Access-Request of id 146 to 196.3.64.39:1645 User-Name = nana Password = \263\252\002UV\310\201\010w8Y\323\350\244i NAS-IP-Address = mantse-1 NAS-Port-Id = 1645 rad_recv: Access-Reject packet from host 196.3.64.39:1645, id=146, length=20 user in mysql database == bash-2.03# radtest fredf wilma mantse-1 1645 qwer Sending Access-Request of id 151 to 196.3.64.39:1645 User-Name = fredf Password = \377\027\273\033_\324\rU\204\032\001\210\025\353\013u NAS-IP-Address = mantse-1 NAS-Port-Id = 1645 rad_recv: Access-Accept packet from host 196.3.64.39:1645, id=151, length=50 Framed-Compression = Van-Jacobson-TCP-IP Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 255.255.255.254 Framed-MTU = 1500 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I can't authenticate using /etc/passwd file
Godfred Ofori-Som [EMAIL PROTECTED] wrote: Below is an extract of my user file and the result with radtest. what am i doing wrong DEFAULT Auth-Type += System ... DEFAULT AUTH-Type := sql, ... Read 'man users' on the difference between '+=' and ':=' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
passwd
Hi all, Thanks for the timely responces. I'm 100% up and running now. However I would like to have a separate password file, be it PAM or System. Do both methoeds only use the system passwd with no other options? Lee -- Lee Wolf EMR Data Services [EMAIL PROTECTED] 623-764-0870 cell 623-581-0842 voice 623-582-9499 fax EMR Internet A Serious Internet Experience ** 56K Dial-up ** DSL ** Web-hosting ** ** Co-location ** T1s ** ISDN ** ** High-Speed Fiber Backbone ** Linux powered ** ** Custom Web Design ** Site Development ** ** Search Engine Placement Web Consultation ** Visit us at http://www.emr.net! Ask about our reseller programs! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: passwd
Lee W [EMAIL PROTECTED] wrote: Thanks for the timely responces. I'm 100% up and running now. However I would like to have a separate password file, be it PAM or System. Do both methoeds only use the system passwd with no other options? I don't know about PAM, but rlm_unix has a 'passwd' configuration directive, which tells it where to get the password file from. See 'radiusd.conf' Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: auth by /etc/passwd
In article 003f01c1890a$3e83ae20$1191623f@eli, NetlinkIP Sysadmin [EMAIL PROTECTED] wrote: How can I have freeradius (or cistron 1.6.5) do a check on /etc/passwd for the shell type? Could you please post this to *one* list only, or at least Cc: it between lists? I've already answered your question on the cistron-radius list, but ofcourse you can't see that on this list! Mike. -- Don't worry about what anybody else is going to do ... The best way to predict the future is to invent it. -- Alan Kay. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
auth by /etc/passwd
How can I have freeradius (or cistron 1.6.5) do a check on /etc/passwd for the shell type? For Example: I need users of shell type /usr/bin/ppp to be able to auth via radius but NOT: /sbin/noservice Any ideas? BTW - Livingston 2.1 does this. --Eli Chancey --NetlinkIP Sysadmin - www.netlinkip.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using a different passwd/shadow file?
Robert Divko [EMAIL PROTECTED] wrote: How can I use a different passwd/shadow file combo than the system file for User Authentication in freeradius-02? You can't. I don't thenk even the latest CVS snapshot allows for that. If you really are interested, file a bug report. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using a different passwd/shadow file?
On Tue, 2 Oct 2001 at 10:26 (-0400), [EMAIL PROTECTED] wrote: Robert Divko [EMAIL PROTECTED] wrote: How can I use a different passwd/shadow file combo than the system file for User Authentication in freeradius-02? You can't. I don't thenk even the latest CVS snapshot allows for that. The current CVS allows you to specify a different passwd, shadow and group file. The group was made to work yesterday, but the rest had been working prior to that. I have been using that feature for a little while now. The group changes are still fairly new so may not be the most stable, but have been working in a production environment for close to 18 hours. Michael -- Michael J. Hartwick, VE3SLQ [EMAIL PROTECTED] Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using a different passwd/shadow file?
Michael J. Hartwick wrote: On Tue, 2 Oct 2001 at 10:26 (-0400), [EMAIL PROTECTED] wrote: Robert Divko [EMAIL PROTECTED] wrote: How can I use a different passwd/shadow file combo than the system file for User Authentication in freeradius-02? You can't. I don't thenk even the latest CVS snapshot allows for that. The current CVS allows you to specify a different passwd, shadow and group file. The group was made to work yesterday, but the rest had been working prior to that. I have been using that feature for a little while now. The group changes are still fairly new so may not be the most stable, but have been working in a production environment for close to 18 hours. Could I specify more that 64K users in a passwd file with that? With UIDs 65536? -- Juan Carlos Castro y Castro | Standing up to an evil system is [EMAIL PROTECTED] | exhilarating. -Richard Stallman Rio de Janeiro - Brazil | http://www.vialink.com.br/~jcastro DC4DC #25 | chmod a+x /bin/laden - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using a different passwd/shadow file?
On Tue, 2 Oct 2001 at 15:46 (-0300), Juan Carlos Castro y Castro wrote: JCCyC Could I specify more that 64K users in a passwd file with that? With JCCyC UIDs 65536? Not sure on that one. I haven't needed a passwd file quite that large before. I would think that it would work since I don't believe the code looks at UID's, but I have not checked the code to verify this. If your operating systems fgetpwent() call support larger UID's then I think it should work with the caching turned off, but again I haven't tried it. Michael -- Michael J. Hartwick, VE3SLQ [EMAIL PROTECTED] Hartwick Communications Consulting (519) 396-7719 Kincardine, ON, CA http://www.hartwick.com -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using a different passwd/shadow file?
How can I use a different passwd/shadow file combo than the system file for User Authentication in freeradius-02? Ciao, Robert Divko Dr. Robert Divko, Kiem-Pauli-Weg 15, 83052 Bruckmühl tel: 08062/79700, 0172/8337394, fax: 08062/79701 [EMAIL PROTECTED], [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
