help-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] Problems with 1.0 and --enable-shadow

From: Andrea Mistrali
Subject: Re: [Help-gnu-radius] Problems with 1.0 and --enable-shadow
Date: Tue, 1 Jul 2003 10:24:25 +0200 
Il giorno 30/06/2003 Sergey Poznyakoff ha scritto:

SP> Hi Andrea,

Hi Sergey :)

SP> 
SP> > Reading the code I guess that if I configure GNU RADIUS with
SP> > --enable-shadow
SP> 
SP> By the way, generally the configuration suite is able to determine
SP> if the system has shadow passwords, so you don't have to explicitly give
SP> it --enable-shadow switch. If on your system it was unable to detect
SP> shadow, please run configure without this switch and send me the resulting
SP> config.log, so I may fix this in the future releases.
SP> 
SP> > it will only look for passwords in /etc/shadow and it will not fall back
SP> > to reading/etc/passwd if I use Auth-Type=System.
SP>  
SP> Right.
SP> 
SP> > A workaround is to use --enable-pam and Auth-Type=Pam, but I'm sure
SP> > (still using it) that version 0.96.4, configured with --enable-shadow
SP> > will fall back to/etc/passwd not founding /etc/shadow. 
SP> 
SP> Right.
SP> 
SP> > I think that this should be the most
SP> > intuitive behaviour, but I would like to know if I read the code
SP> > correctly.
SP>  
SP> Yes, Andrea, you have read it correctly.

Well, I forgot one thing. In 0.96.4 the behaviour was the one above. Now I'm
trying to upgrade to 1.0 and in 1.0 it seems not to behave this way. It seems
that if you compile it with --enable-shadow it tries to look for /etc/shadow
and if it does not find it it gives up, not allowing the user to log in.

SP> 
SP> > I would even like to know if the old behaviour would be restored in next
SP> > versions.
SP> 
SP> Well, I'm equally comfortable with either approach. If it is critical to
SP> you, I'll send you the patch tomorrow. Let me know if you need it. In the
SP> future releases I'll provide a special option to switch between the two
SP> behaviors. However, let me note that keeping passwords in /etc/passwd is
SP> highly unsecure.
SP> 

Well, it is not critical, i solved it using PAM, but I'm thinking of binary
distribution. If I do not use --enable-shadow you say it will guess if
/etc/shadow is present or not, but what if I compile it on a machine that has
/etc/shadow and install it in one that has not it???

Simply, looking at other programs that authenticate user against normal UNIX
database (/etc/{shadow,passwd,group} it seems to me more intuitive to try to
use shadow and fall back to old passwd if shadow fails.

Andre
reply via email to
[Prev in Thread] Current Thread [Next in Thread]