Commit of version 1.3.17

author: Arran Cudbard-Bell <a.cudbardb@freeradius.org> 2012-10-24 08:18:01 +0100
committer: Arran Cudbard-Bell <a.cudbardb@freeradius.org> 2012-10-24 08:18:01 +0100
commit: c2c2b9c4b0571f4e6050de78ae8fd813d1be7431 (patch)
tree: 12d9d04d58daec7558ab0ae63c7c52ac7d14642f /USAGE
download: libpam-radius-auth-c2c2b9c4b0571f4e6050de78ae8fd813d1be7431.tar.gz
libpam-radius-auth-c2c2b9c4b0571f4e6050de78ae8fd813d1be7431.zip
1 files changed, 87 insertions, 0 deletions
diff --git a/USAGE b/USAGE
new file mode 100644
index 0000000..d850ddd
--- /dev/null
+++ b/USAGE
@@ -0,0 +1,87 @@
+  The module takes a number of configuration options.  Password changing
+is not implemented, as the RADIUS protocol does not support it.
+
+  The pam configuration can be:
+...
+auth       sufficient   /lib/security/pam_radius_auth.so [options]
+...
+account    sufficient   /lib/security/pam_radius_auth.so
+
+---------------------------------------------------------------------------
+
+  The 'options' section is optional, and can contain one or more of
+the following strings.  Note that not all of these options are
+relevant in for all uses of the module.
+
+debug          - print out extensive debugging information via pam_log.
+                 These messages generally end up being handled by
+                 sylog(), and go to /var/log/messages.  Depending on
+                 your host operating system, the log messages may be
+                 elsewhere.
+		 You should generally use the debug option when first
+		 trying to install the module, as it will help
+		 enormously in tracking down problems.
+
+use_first_pass - Instead of prompting the user for a password, retrieve
+                 the password from the previous authentication module.
+                 If the password does not exist, return failure.
+                 If the password exists, try it, returning success/failure
+                 as appropriate.
+
+try_first_pass - Instead of prompting the user for a password, retrieve
+                 the password from the previous authentication module.
+                 If the password exists, try it, and return success if it
+                 passes.
+                 If there was no previous password, or the previous password
+                 fails authentication, prompt the user with
+                 "Enter RADIUS password: ", and ask for another password.
+                 Try this password, and return success/failure as appropriate.
+
+                 This is the default for authentication.
+
+skip_passwd    - Do not prompt for a password, even if there was none
+                 retrieved from the previous layer.
+                 Send the previous one (if it exists), or else send a NULL
+                 password.
+                 If this fails, exit.
+                 If an Access-Challenge is returned, display the challenge
+                 message, and ask the user for the response.
+                 Return success/failure as appropriate.
+
+                 The password sent to the next authentication module will
+                 NOT be the response to the challenge.  If a password from
+                 a previous authentication module exists, it is passed on.
+                 Otherwise, no password is sent to the next module.
+
+conf=foo       - set the configuration filename to 'foo'.
+                 Default is /etc/raddb/server
+
+client_id=bar  - send a NAS-Identifier RADIUS attribute with string
+                 'bar'.  If the client_id is not specified, the PAM_SERVICE
+                 type is used instead. ('login', 'su', 'passwd', etc.)
+                 This feature may be disabled by using 'client_id='.
+                 i.e. A blank client ID.
+
+retry = #      - allow a number of retries before continuing to the next
+                 authentication module
+
+use_authtok    - force the use of a previously entered password.
+                 This is  needed for pluggable password strength checking
+                 i.e. try cracklib to be sure it's secure, then go update
+                 the RADIUS server.
+
+ruser          - If PAM_USER is root, Use the value of PAM_RUSER instead
+                 of PAM_USER to determine the username to authenticate via
+                 RADIUS.  This is to allow 'su' to act like 'sudo'.
+
+localifdown    - This option tells pam_radius to return PAM_IGNORE instead
+                 of PAM_AUTHINFO_UNAVAIL if RADIUS auth failed due to
+                 network unavailability.  PAM_IGNORE tells the pam stack
+                 to continue down the stack regardless of the control flag.
+
+accounting_bug - When used, the accounting response vector is NOT
+                 validated.  This option will probably only be necessary
+                 on REALLY OLD (i.e. Livingston 1.16) servers.
+
+---------------------------------------------------------------------------
+
author	Arran Cudbard-Bell <a.cudbardb@freeradius.org>	2012-10-24 08:18:01 +0100
committer	Arran Cudbard-Bell <a.cudbardb@freeradius.org>	2012-10-24 08:18:01 +0100
commit	c2c2b9c4b0571f4e6050de78ae8fd813d1be7431 (patch)
tree	12d9d04d58daec7558ab0ae63c7c52ac7d14642f /USAGE
download	libpam-radius-auth-c2c2b9c4b0571f4e6050de78ae8fd813d1be7431.tar.gz libpam-radius-auth-c2c2b9c4b0571f4e6050de78ae8fd813d1be7431.zip