Re: Question Re: Merit Radius

William Bulley (web@merit.edu)
Tue, 17 Oct 1995 18:17:25 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jeff Gong: "Re: routing a subnet."
Previous message: William Bulley: "Re: RADIUS Implementations"
In reply to: Jeff Mcadams: "Question Re: Merit Radius"

According to Jeff Mcadams:
>
> Maybe this should go on the radius list, but I don't have that list set
> up on a nice handy alias in elm (call me lazy).

It probably should...

> It seems (after looking in to it for a few days) that the Merit version
> of Radius, when using the Unix-PW authentication type, is checking for a
> valid shell for the user (checking against /etc/shells). Problem
> is....I don't want it to do this! Our SLIP/PPP accounts (at this point)
> have userid's that match the pattern s-???? (with the ?'s being numbers)
> with the login shell being /usr/lib/ppp/Login. We don't want to put
> /usr/lib/ppp/Login in /etc/shells (for obvious reasons), but we do need
> Radius to go ahead and authenticate these users. Right now, its giving
> a message (from our PM-25) of Authentication failed.

We are certainly responsible for the /etc/shells probe (we think it is a
good check against some forms of security attack. The s-??? (and p-???)
are they part of the SCP stuff (which isn't in Merit releases)?

I have mentioned the idea of putting this in, but it would have to strip
the s- and p- off the User-Name for this to work against the /etc/passwd
file. If it is just a matter of the shell being /usr/lib/ppp/Login, then
simply add that line to your /etc/shells file (or create one with that
line in it along with others and/or none as needed).

> inserting a "return EV_ACK" right before the code in authenticate.c that
> checks against /etc/shells for a valid login shell (around line 765).
> No change in behavior.

That is probably _a_ solution (read hack :-) to the problem, but there may
be cleaner ways to solve it... but if it works for you, then fine! :-)

> What am I missing? If this should work, I might possibly have something
> else causing the authentication failure, but I'm not sure what else it
> would be. Any ideas? Bueller....Bueller.....Bueller.....

There are lots of things that can go wrong, but once you start modifying
code you have to take the responsiblity of knowing what the code does and
realize that I may not be able to help you...

Regards,

web...

-- 
William Bulley, N8NXN              Senior Systems Research Programmer
Merit Network Inc.                 Domain: web@merit.edu
4251 Plymouth Road                 MaBell: (313) 764-9993
Ann Arbor, Michigan  48105-2785    Fax:    (313) 747-3185

Next message: Jeff Gong: "Re: routing a subnet."
Previous message: William Bulley: "Re: RADIUS Implementations"
In reply to: Jeff Mcadams: "Question Re: Merit Radius"