Re: radiusd-freeradius history and future
On Wed, Nov 12, 2003 at 01:23:02PM +1100, Russell Coker wrote:
> On Wed, 12 Nov 2003 12:40, Matt Zimmerman wrote:
> > The only reason I can think of for running a RADIUS server as root would be
> > to authenticate against UNIX passwords or such, which is a pretty bad idea
> > anyway. They should all run as non-root.
> Allowing a RADIUS server to authenticate local users against /etc/shadow is
> standard and expected functionality IMHO. I consider any RADIUS server which
> can't authenticate against the local accounts database to be severely broken.
Well. IMHO that used to be a standard way of doing this when directories
where not available. Now it is quite common to validate against an LDAP,
MySQL or whatever server. YMMV. But you are right in that all these
implementations assume that checking against the local user database is the
> This does not necessarily have to require root access. The unix_chkpwd helper
> program for the pam_unix.so module allows checking a password for an account
> with the current UID. Giving all local accounts for the RADIUS server the
That would need a reimplementation of some (all?) of the servers. Wouldn't
it? Old ones (cistron, livingston) call getpwnam()|getspnam() to retrieve
the user's encrypted passwords. New ones (freeradius) can alternatively
talk with a myriad of authentication services...