passwords in config items, and sets Auth-Type := PAP.
Updated radiusd.conf to add "unix" and "pap" to "authorize",
for more auto-discovery.
Updated "users" to NOT Set Auth-Type at ALL. This makes
auto-discovery work much better...
# PAP module to authenticate users based on their stored password
#
- # Supports multiple encryption schemes
+ # Supports multiple encryption/hash schemes
#
# name description attribute
# ---- ----------- ---------
# clear Clear text User-Password
# crypt Unix crypt Crypt-Password
# md5 MD5 ecnryption MD5-Password
- # sha1 SHA1 encryption. SHA-Password
+ # smd5 SMD5 ecnryption SMD5-Password
+ # sha1 SHA1 encryption SHA-Password
+ # ssha SSHA encryption SSHA-Password
# nt NT-Password encryption NT-Password
# lm LM-Password encryption LM-Password
# auto Automatically figure out what to do
#
# For "auto" to work, the passwords given to the server by
# a back-end database MUST be placed into the attribute listed
- # above.
+ # above. We STRONGLY recommend using "auto".
#
# DEFAULT: auto
pap {
mschap
#
+ # Pull crypt'd passwords from /etc/passwd or /etc/shadow,
+ # using the system API's to get the password. If you want
+ # to read /etc/passwd or /etc/shadow directly, see the
+ # passwd module, above.
+ #
+ unix
+
+ #
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
expiration
logintime
+
+ #
+ # If no other module has claimed responsibility for
+ # authentication, then try to use PAP. This allows the
+ # other modules listed above to add a "known good" password
+ # to the request, and to do nothing else. The PAP module
+ # will then see that password, and use it to do PAP
+ # authentication.
+ #
+ # This module should be listed last, so that the other modules
+ # get a chance to set Auth-Type for themselves.
+ #
+ pap
}
-bob User-Password = "hello", Gandalf-Around-The-Corner = "foo"
- Gandalf-Around-The-Corner = "foo",
- Reply-Message = "Hello %u"
-
#
# Please read the documentation file ../doc/processing_users_file,
# or 'man 5 users' (after installing the server) for more information.
# file, the DEFAULT entries _have_ to be at the end of this file and
# you can't have multiple entries for one username.
#
-# You don't need to specify a password if you set Auth-Type += System
-# on the list of authentication requirements. The RADIUS server
-# will then check the system password file.
-#
# Indented (with the tab character) lines following the first
# line indicate the configuration values to be passed back to
# the comm server to allow the initiation of a user session.
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
-#steve Auth-Type := Local, User-Password == "testing"
+#steve User-Password := "testing"
# Service-Type = Framed-User,
# Framed-Protocol = PPP,
# Framed-IP-Address = 172.16.3.33,
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
-#"John Doe" Auth-Type := Local, User-Password == "hello"
-# Reply-Message = "Hello, %u"
+#"John Doe" User-Password := "hello"
+# Reply-Message = "Hello, %{User-Name}"
#
# Dial user back and telnet to the default host for that port
#
-#Deg Auth-Type := Local, User-Password == "ge55ged"
+#Deg User-Password := "ge55ged"
# Service-Type = Callback-Login-User,
# Login-IP-Host = 0.0.0.0,
# Callback-Number = "9,5551212",
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
-#dialbk Auth-Type := Local, User-Password == "callme"
+#dialbk User-Password := "callme"
# Service-Type = Callback-Login-User,
# Login-IP-Host = timeshare1,
# Login-Service = PortMaster,
#
#
-# First setup all accounts to be checked against the UNIX /etc/passwd.
-# (Unless a password was already given earlier in this file).
-#
-DEFAULT Auth-Type = System
- Fall-Through = 1
-
-#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
/*
- * Find the named user in this modules database. Create the set
- * of attribute-value pairs to check and reply with for this user
- * from the database. The authentication code only needs to check
- * the password, the rest is done here.
+ * Authorize the user for PAP authentication.
+ *
+ * This isn't strictly necessary, but it does make the
+ * server simpler to configure.
+ */
+static int pap_authorize(void *instance, REQUEST *request)
+{
+ VALUE_PAIR *vp, *pw = NULL;
+
+ instance = instance; /* -Wunused */
+
+ /*
+ * Can't do PAP if there's no password.
+ */
+ if (!request->password ||
+ (request->password->attribute != PW_USER_PASSWORD)) {
+ /*
+ * Don't print out debugging messages if we know
+ * they're useless.
+ */
+ if (request->packet->code == PW_ACCESS_CHALLENGE) {
+ return RLM_MODULE_NOOP;
+ }
+
+ DEBUG2("rlm_pap: No clear-text password in the request. Not performing PAP.");
+ return RLM_MODULE_NOOP;
+ }
+
+
+ for (vp = request->config_items; vp != NULL; vp = vp->next) {
+ switch (vp->attribute) {
+ case PW_USER_PASSWORD:
+ case PW_CRYPT_PASSWORD:
+ case PW_MD5_PASSWORD:
+ case PW_SHA_PASSWORD:
+ case PW_NT_PASSWORD:
+ case PW_LM_PASSWORD:
+ case PW_SMD5_PASSWORD:
+ case PW_SSHA_PASSWORD:
+ pw = vp;
+ break;
+
+ case PW_AUTH_TYPE:
+ DEBUG2("rlm_pap: Found existing Auth-Type, not changing it.");
+ return RLM_MODULE_NOOP;
+
+ default:
+ break; /* ignore it */
+
+ }
+ }
+
+ /*
+ * Print helpful warnings if there was no password.
+ */
+ if (!pw) {
+ DEBUG("rlm_pap: WARNING! No \"known good\" password found for the user. Authentication will probably fail");
+ return RLM_MODULE_NOOP;
+ }
+
+ vp = pairmake("Auth-Type", "PAP", T_OP_SET);
+ if (!vp) return RLM_MODULE_FAIL;
+
+ pairadd(&request->config_items, vp);
+
+ return RLM_MODULE_UPDATED;
+}
+
+
+/*
+ * Authenticate the user via one of any well-known password.
*/
static int pap_authenticate(void *instance, REQUEST *request)
{
pap_instantiate, /* instantiation */
{
pap_authenticate, /* authentication */
- NULL, /* authorization */
+ pap_authorize, /* authorization */
NULL, /* preaccounting */
NULL, /* accounting */
NULL, /* checksimul */