From: Alan T. DeKok Date: Mon, 18 Mar 2013 22:36:57 +0000 (-0400) Subject: Remove authenticate section. X-Git-Tag: release_3_0_0_beta1~698 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=44c1bc1cb6f8728b059911e8ac89ef42f205411a;p=thirdparty%2Ffreeradius-server.git Remove authenticate section. You should be using the PAP module, which does all of this. --- diff --git a/raddb/README.rst b/raddb/README.rst index 5bb956ddeec..35f564d680d 100644 --- a/raddb/README.rst +++ b/raddb/README.rst @@ -187,6 +187,22 @@ It is otherwise unchanged. You chould be able to copy your old ``eap.conf`` file directly to ``mods-enabled/eap``. +Unix +---- + +The unix module does not have an "authenticate" section. So you +cannot set "Auth-Type := System". The "unix" module has also been +deleted from the examples in sites-available/. Listing it there has +been deprecated for many years. + +The PAP module can do crypt authentication. It should be used instead +of Unix authentication. + +The Unix module still can pull the passwords from /etc/passwd, or +/etc/shadow. This is done by listing it in the "authorize" section, +as is done in the sites-available/ examples. + + RadSec ------ diff --git a/raddb/sites-available/default b/raddb/sites-available/default index fde87b52438..5c00490d3bd 100644 --- a/raddb/sites-available/default +++ b/raddb/sites-available/default @@ -435,19 +435,6 @@ authenticate { # Pluggable Authentication Modules. # pam - # - # See 'man getpwent' for information on how the 'unix' - # module checks the users password. Note that packets - # containing CHAP-Password attributes CANNOT be authenticated - # against /etc/passwd! See the FAQ for details. - # - # For normal "crypt" authentication, the "pap" module should - # be used instead of the "unix" module. The "unix" module should - # be used for authentication ONLY for compatibility with legacy - # FreeRADIUS configurations. - # - unix - # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against diff --git a/raddb/sites-available/inner-tunnel b/raddb/sites-available/inner-tunnel index ce53e4f7949..65fba748c86 100644 --- a/raddb/sites-available/inner-tunnel +++ b/raddb/sites-available/inner-tunnel @@ -214,14 +214,6 @@ authenticate { # Pluggable Authentication Modules. # pam - # - # See 'man getpwent' for information on how the 'unix' - # module checks the users password. Note that packets - # containing CHAP-Password attributes CANNOT be authenticated - # against /etc/passwd! See the FAQ for details. - # - unix - # Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against diff --git a/src/modules/rlm_unix/rlm_unix.c b/src/modules/rlm_unix/rlm_unix.c index 16a0260f572..ce6f1e3f4db 100644 --- a/src/modules/rlm_unix/rlm_unix.c +++ b/src/modules/rlm_unix/rlm_unix.c @@ -162,8 +162,7 @@ static int unix_instantiate(CONF_SECTION *conf, void **instance) * Pull the users password from where-ever, and add it to * the given vp list. */ -static int unix_getpw(UNUSED void *instance, REQUEST *request, - VALUE_PAIR **vp_list) +static rlm_rcode_t unix_authorize(UNUSED void *instance, REQUEST *request) { const char *name; const char *encrypted_pass; @@ -304,75 +303,12 @@ static int unix_getpw(UNUSED void *instance, REQUEST *request, vp = pairmake("Crypt-Password", encrypted_pass, T_OP_SET); if (!vp) return RLM_MODULE_FAIL; - pairmove(vp_list, &vp); - pairfree(&vp); /* might not be NULL; */ + pairadd(&request->config_items, vp); return RLM_MODULE_UPDATED; } -/* - * Pull the users password from where-ever, and add it to - * the given vp list. - */ -static rlm_rcode_t unix_authorize(void *instance, REQUEST *request) -{ - return unix_getpw(instance, request, &request->config_items); -} - -/* - * Pull the users password from where-ever, and add it to - * the given vp list. - */ -static rlm_rcode_t unix_authenticate(void *instance, REQUEST *request) -{ -#ifdef OSFSIA - char *info[2]; - char *progname = "radius"; - SIAENTITY *ent = NULL; - - info[0] = progname; - info[1] = NULL; - if (sia_ses_init (&ent, 1, info, NULL, name, NULL, 0, NULL) != - SIASUCCESS) - return RLM_MODULE_NOTFOUND; - if ((ret = sia_ses_authent (NULL, passwd, ent)) != SIASUCCESS) { - if (ret & SIASTOP) - sia_ses_release (&ent); - return RLM_MODULE_NOTFOUND; - } - if (sia_ses_estab (NULL, ent) != SIASUCCESS) { - sia_ses_release (&ent); - return RLM_MODULE_NOTFOUND; - } -#else /* OSFSIA */ - int rcode; - VALUE_PAIR *vp = NULL; - - if (!request->password || - (request->password->da->attr != PW_USER_PASSWORD)) { - radlog_request(L_AUTH, 0, request, "Attribute \"User-Password\" is required for authentication."); - return RLM_MODULE_INVALID; - } - - rcode = unix_getpw(instance, request, &vp); - if (rcode != RLM_MODULE_UPDATED) return rcode; - - /* - * 0 means "ok" - */ - if (fr_crypt_check((char *) request->password->vp_strvalue, - (char *) vp->vp_strvalue) != 0) { - radlog_request(L_AUTH, 0, request, "invalid password \"%s\"", - request->password->vp_strvalue); - return RLM_MODULE_REJECT; - } -#endif /* OSFFIA */ - - return RLM_MODULE_OK; -} - - /* * UUencode 4 bits base64. We use this to turn a 4 byte field * (an IP address) into 6 bytes of ASCII. This is used for the @@ -584,7 +520,7 @@ module_t rlm_unix = { unix_instantiate, /* instantiation */ unix_detach, /* detach */ { - unix_authenticate, /* authentication */ + NULL, /* authentication */ unix_authorize, /* authorization */ NULL, /* preaccounting */ unix_accounting, /* accounting */