blob: 34161703c798e9db58a6f95156dc0407e81ae66c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
**********************************************************************
Redhat Linux 4.2 (PAM 0.54)
**********************************************************************
make.
Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so
In /etc/pam.conf, add the line:
login auth sufficient /lib/security/pam_radius_auth.so
AFTER
login auth required /lib/security/pam_securetty.so
and BEFORE
login auth required /lib/security/pam_unix_auth.so
i.e.
login auth required /lib/security/pam_securetty.so
login auth sufficient /lib/security/pam_radius_auth.so
login auth required /lib/security/pam_unix_auth.so
**********************************************************************
Redhat Linux > 5.0
**********************************************************************
make.
Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so
In the per-application configuration (/etc/pam.d/application) add:
auth sufficient /lib/security/pam_radius_auth.so
AFTER
auth required /lib/security/pam_securetty.so
and BEFORE
auth required /lib/security/pam_unix_auth.so
i.e.
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_radius_auth.so
auth required /lib/security/pam_unix_auth.so
**********************************************************************
Solaris 2.6
**********************************************************************
make.
Copy 'pam_radius_auth.so' to /usr/lib/security/pam_radius_auth.so.1
in /etc/pam.conf, add the line:
login auth sufficient /usr/lib/security/pam_radius_auth.so.1
BEFORE
login auth required /usr/lib/security/pam_unix_auth.so.1
You will probably also have to add the lines:
telnet auth sufficient /usr/lib/security/pam_radius_auth.so.1
telnet auth required /usr/lib/security/pam_unix.so.1
in order to perform network logins.
----------------------------------------------------------------------
Password change requests are pretty much the same. Add a line like:
passwd password sufficient /lib/security/pam_radius_auth.so
And you're set.
Note that password change requests will NOT work for RADIUS users
using challenge-response authentication.
----------------------------------------------------------------------
If you're familiar with PAM, configuring RADIUS authentication for
other applications should be straightforward.
Note that you should be *very* careful when configuring users who
use RADIUS challenge-response. They should *not* have a Unix password
defined, or the challenge-response token card may become meaningless.
Users who have have a RADIUS challenge-response configuration must
enter an initial password, unless 'skip_passwd' (see below) is
defined. The password they enter may not be blank or empty.
----------------------------------------------------------------------
You will need a server configuration file. An example is given in
the file pam_radius_auth.conf. You will need to copy this file to
/etc/raddb/server. The file MUST be secure! i.e.
chown root /etc/raddb
chmod go-rwx /etc/raddb
chmod go-rwx /etc/raddb/server
See 'USAGE' for details of the configuration file.
----------------------------------------------------------------------
|
