2 PAM Support for FreeRadius
7 PAM support was done by Jeph Blaize. Miguel a.l. Paraz <map@iphil.net>
8 ported it to FreeRADIUS' parent, Cistron-Radius. Chris Dent <cdent@kiva.net>
9 added the Pam-Auth attribute.
13 Use Auth-Type = Pam in the users file. You cannot use User-Password = "PAM"
14 as in other radius servers. Sorry.
16 You can also use ``Pam-Auth = "somestring"'' to specify an entry in
17 /etc/pam.d. The default is "radius".
19 Compile and install freeradius with pam support (./configure --help
22 Within your radiusd.conf file, in the 'modules' section, make sure
23 that the pam section is enabled:
27 # The name to use for PAM authentication.
28 # PAM looks in /etc/pam.d/${pam_auth_name}
29 # for it's configuration.
31 # Note that any Pam-Auth attribute set in the 'users'
32 # file over-rides this one.
37 In the 'authenticate' section, do the same:
40 # Uncomment this if you want to use PAM (Auth-Type = PAM)
45 In your /etc/pam.d/ directory create a file called radiusd with the
46 following contents (or whatever you want for your pam configuration,
47 this seems to work for me):
50 auth required /lib/security/pam_unix_auth.so shadow md5 nullok
51 auth required /lib/security/pam_nologin.so
52 account required /lib/security/pam_unix_acct.so
53 password required /lib/security/pam_cracklib.so
54 password required /lib/security/pam_unix_passwd.so shadow md5 nullok use_authtok
55 session required /lib/security/pam_unix_session.so
58 If you don't want to run your freeradius server in debug mode as
59 root (ie, run as an unpriviledged user) you will need to run
60 freeradius with a group membership that is able to read the
61 /etc/shadow file - otherwise pam will be unable to read the
62 /etc/shadow file and will fail. I suggest a group called 'shadow' or
65 $ chgrp /etc/shadow shadow
66 $ chmod g+w /etc/shadow
68 And in the radiusd.conf file:
70 # On systems with shadow passwords, you might have to set 'group = shadow'
71 # for the server to be able to read the shadow password file.
73 # Change below to suit your setup.
78 Please understand that giving anything except root read permissions
79 to the /etc/shadow file is something that you want to think a bit
88 Real PAM support, figure out how we can write a module that will make
89 it blend in with PAM more seamlessly. With this, we can replace the
90 DENY_SHELL with something more flexible such as a database.
94 DEFAULT Auth-Type = Pam, NAS-IP-Address = 206.97.64.5
95 Service-Type = Framed-User,
96 Framed-Protocol = PPP,
97 Framed-IP-Address = 255.255.255.254,
98 Filter-Id = "std.ppp",
100 Framed-Compression = Van-Jacobson-TCP-IP
101 DEFAULT Auth-Type = Pam, Pam-Auth = "radius2", NAS-IP-Address = 127.0.0.1
102 Service-Type = Framed-User,
103 Framed-Protocol = PPP,
104 Framed-IP-Address = 255.255.255.254,
105 Filter-Id = "std.ppp",
107 Framed-Compression = Van-Jacobson-TCP-IP