Re: [Bug-gnu-radius] server side PAM authentication

[Ilguiz Latypov]

On Fri, 19 Jul 2002, Sergey Poznyakoff wrote:

> I would like to ask you to prominently specify the version of radius
> your message refers to (1.0 is not in production use yet and many
> subscribers may get confused).

That was a July 18, 2002 snapshot from CVS.

> By the way on what platform are you testing it?

    $ uname -a
    Linux server 2.4.19-pre10 #4 Thu Jun 6 17:00:26 EDT 2002 i686 unknown

> That is a syntax error for both 0.96 and pre-1.0 series of radius. The
> correct syntax will be
> 
> DEFAULT       Auth-Type = Pam
>         NULL

Thanks.  I will see if my copy of perl Authen::Radius client can handle 
empty list of attributes.  This client failed when tested against a 
different Radius server implementation.

> (note the presence of the RHS). Most NASes will require radius to
> return at list Service-Type pair, so you'd be better off specifying:
> 
> DEFAULT Auth-Type = Pam
>       Service-Type = <whatever>

Luckily, I just found the explanation of the notion of NAS in "info
radius" by typing "snas<Enter>".  Thanks for the excellent piece of
documentation.

> > 2. After that I got dlopen error on /lib/security/pam_unix_passwd.so.  Is 
> >    this a wrong configuration or corrupted shared module?  Here is the 
> 
> Hmmm, again the question is: what operating system are you using?

This module is part of RedHat Linux RPM package:

    $ rpm -qf /lib/security/pam_unix_passwd.so 
    pam-0.74-22

Anyways, everything worked fine when I switched to pam_pwdb.so.

> I guess you should investigate the sources of su to find the answer.

Could the absence of session messages from pam_pwdb.so be due to pam.c not
calling pam_open_session()/pam_close_session() after successful
pam_authenticate()?

Ilguiz