Re: [Bug-gnu-radius] server side PAM authentication

[Sergey Poznyakoff]

Ilguiz,

Thanks a lot for your efforts in testing pre-1.0 version. I would
like to ask you to prominently specify the version of radius your
message refers to (1.0 is not in production use yet and many
subscribers may get confused). Thank you. By the way on what platform
are you testing it?

> 1. What is the correct syntax for enabling server side PAM authentication?  
>    After recompiling gnu-radiusd with --enable-pam and putting
> 
>     DEFAULT   Auth-Type = Pam

That is a syntax error for both 0.96 and pre-1.0 series of radius. The
correct syntax will be

DEFAULT Auth-Type = Pam
        NULL


(note the presence of the RHS). Most NASes will require radius to
return at list Service-Type pair, so you'd be better off specifying:

DEFAULT Auth-Type = Pam
        Service-Type = <whatever>


> 2. After that I got dlopen error on /lib/security/pam_unix_passwd.so.  Is 
>    this a wrong configuration or corrupted shared module?  Here is the 

Hmmm, again the question is: what operating system are you using?
It seems like a corrupted shared module... It may be also that some
of the symbols imported to pam_unix_passwd.so conflict with those
that are exported from radius executable. Md5 stuff comes to mind.
However to decide anything I would need more information.

> 3. There are no positive messages from PAM_pwdb in the above log file.  I 
>    only see messages from PAM_pwdb when supplying a wrong password:
[...]
>    How come I see positive messages when doing su 
> 
>      Jul 19 09:42:41 server PAM_pwdb[14700]: (su) session opened for user 
> root by ilatypov(uid=0)
> 
>    but not when doing radsession ... --auth?

I guess you should investigate the sources of su to find the answer.

Regards,
Sergey