summaryrefslogtreecommitdiff
path: root/USAGE
blob: 0fce66b1832ad7746a8ec15c1cde652ecc5e03c4 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
This PAM module takes a number of configuration options.  Password changing
is not implemented, as the RADIUS protocol does not support it.

  The pam configuration can be:
...
auth       sufficient   pam_radius_auth.so [options]
...
account    sufficient   pam_radius_auth.so

---------------------------------------------------------------------------

  The 'options' section is optional, and can contain one or more of
the following strings.  Note that not all of these options are
relevant in for all uses of the module.

At a minimum, one server must be listed in the radius client configuration
file

debug          - print out extensive debugging information via pam_log.
                 These messages generally end up being handled by
                 sylog(), and go to /var/log/messages.  Depending on
                 your host operating system, the log messages may be
                 elsewhere.
                 You should generally use the debug option when first
                 trying to install the module, as it will help
                 enormously in tracking down problems.

use_first_pass - Instead of prompting the user for a password, retrieve
                 the password from the previous authentication module.
                 If the password does not exist, return failure.
                 If the password exists, try it, returning success/failure
                 as appropriate.

try_first_pass - Instead of prompting the user for a password, retrieve
                 the password from the previous authentication module.
                 If the password exists, try it, and return success if it
                 passes.
                 If there was no previous password, or the previous password
                 fails authentication, prompt the user with
                 "Enter RADIUS password: ", and ask for another password.
                 Try this password, and return success/failure as appropriate.

                 This is the default for authentication.

skip_passwd    - Do not prompt for a password, even if there was none
                 retrieved from the previous layer.
                 Send the previous one (if it exists), or else send a NULL
                 password.
                 If this fails, exit.
                 If an Access-Challenge is returned, display the challenge
                 message, and ask the user for the response.
                 Return success/failure as appropriate.

                 The password sent to the next authentication module will
                 NOT be the response to the challenge.  If a password from
                 a previous authentication module exists, it is passed on.
                 Otherwise, no password is sent to the next module.

conf=foo       - set the configuration filename to 'foo'.
                 Default is /etc/raddb/server (/etc/pam_radius_auth.conf
                 on Debian systems).

client_id=bar  - send a NAS-Identifier RADIUS attribute with string
                 'bar'.  If the client_id is not specified, the PAM_SERVICE
                 type is used instead. ('login', 'su', 'passwd', etc.)
                 This feature may be disabled by using 'client_id='.
                 i.e. A blank client ID.

retry = #      - How many times to re-send a packet if there is no
                 response.  Once the retry count has been reached,
                 the module fails, and PAM continues to the next module.

use_authtok    - force the use of a previously entered password.
                 This is  needed for pluggable password strength checking
                 i.e. try cracklib to be sure it's secure, then go update
                 the RADIUS server.

ruser          - If PAM_USER is root, Use the value of PAM_RUSER instead
                 of PAM_USER to determine the username to authenticate via
                 RADIUS.  This is to allow 'su' to act like 'sudo'.

localifdown    - This option tells pam_radius to return PAM_IGNORE instead
                 of PAM_AUTHINFO_UNAVAIL if RADIUS auth failed due to
                 network unavailability.  PAM_IGNORE tells the pam stack
                 to continue down the stack regardless of the control flag.

accounting_bug - When used, the accounting response vector is NOT
                 validated.  This option will probably only be necessary
                 on REALLY OLD (i.e. Livingston 1.16) servers.

prompt=string  - Specifies the prompt, without the ': ', that PAM should
                 display when prompting for the password. This is useful
                 when using hardware tokens as part of multi-factor
                 authentication and presenting the same prompt twice would
                 confuse users.  Use prompt=TokenCode (or some other
                 relevant string different from Password) in this
                 situation.

force_prompt   - Request a new password and not using the previously entered
                 password. This usefull for multi-factor authentication
                 when used with a Token.

max_challenge=# - configure maximum number of challenges that a server
                  may request. This is a workaround for broken servers
                  and disabled by default.

---------------------------------------------------------------------------