/usr/share/doc/freeradius/rlm_pam is in freeradius 2.1.12+dfsg-1.2ubuntu8.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 | PAM Support for FreeRadius
0. INTRODUCTION
PAM support was done by Jeph Blaize. Miguel a.l. Paraz <map@iphil.net>
ported it to FreeRADIUS' parent, Cistron-Radius. Chris Dent <cdent@kiva.net>
added the Pam-Auth attribute.
1. USAGE
Use Auth-Type = Pam in the users file. You cannot use User-Password = "PAM"
as in other radius servers. Sorry.
You can also use ``Pam-Auth = "somestring"'' to specify an entry in
/etc/pam.d. The default is "radius".
Compile and install freeradius with pam support (./configure --help
will tell you how)
Within your radiusd.conf file, in the 'modules' section, make sure
that the pam section is enabled:
pam {
#
# The name to use for PAM authentication.
# PAM looks in /etc/pam.d/${pam_auth_name}
# for it's configuration.
#
# Note that any Pam-Auth attribute set in the 'users'
# file over-rides this one.
#
pam_auth = radiusd
}
In the 'authenticate' section, do the same:
authenticate {
# Uncomment this if you want to use PAM (Auth-Type = PAM)
pam
...
In your /etc/pam.d/ directory create a file called radiusd with the
following contents (or whatever you want for your pam configuration,
this seems to work for me):
#%PAM-1.0
auth required /lib/security/pam_unix_auth.so shadow md5 nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_unix_acct.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_unix_passwd.so shadow md5 nullok use_authtok
session required /lib/security/pam_unix_session.so
If you don't want to run your freeradius server in debug mode as
root (ie, run as an unpriviledged user) you will need to run
freeradius with a group membership that is able to read the
/etc/shadow file - otherwise pam will be unable to read the
/etc/shadow file and will fail. I suggest a group called 'shadow' or
the like.
$ chgrp /etc/shadow shadow
$ chmod g+w /etc/shadow
And in the radiusd.conf file:
# On systems with shadow passwords, you might have to set 'group = shadow'
# for the server to be able to read the shadow password file.
#
# Change below to suit your setup.
user = radius
group = shadow
Please understand that giving anything except root read permissions
to the /etc/shadow file is something that you want to think a bit
upon!!
2. NOTES
None.
3. TODO:
Real PAM support, figure out how we can write a module that will make
it blend in with PAM more seamlessly. With this, we can replace the
DENY_SHELL with something more flexible such as a database.
4. EXAMPLE:
DEFAULT Auth-Type = Pam, NAS-IP-Address = 206.97.64.5
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Auth-Type = Pam, Pam-Auth = "radius2", NAS-IP-Address = 127.0.0.1
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Filter-Id = "std.ppp",
Framed-MTU = 1500,
Framed-Compression = Van-Jacobson-TCP-IP
|