rlm_pap

Langue: en

Autres versions - même langue

Version: 8 February 2005 (debian - 07/07/09)

Section: 5 (Format de fichier)

Sommaire

NAME

rlm_pap - FreeRADIUS Module

DESCRIPTION

The rlm_pap module authenticates RADIUS Access-Request packets that contain a User-Password attribute. The module should also be listed last in the authorize section, so that it can set the Auth-Type attribute as appropriate.

When a RADIUS packet contains a clear-text password in the form of a User-Password attribute, the rlm_pap module may be used for authentication. The module requires a "known good" password, which it uses to validate the password given in the RADIUS packet. That "known good" password must be supplied by another module (e.g. rlm_files, rlm_ldap, etc.), and is usually taken from a database.

CONFIGURATION

The only relevant configuration item is:

auto_header
If set to "yes", the module will look inside of the User-Password attribute for the headers {crypt}, {clear}, etc., and will automatically create the appropriate attribute, with the correct value.

This module understands many kinds of password hashing methods, as given by the following table.

 
 
 Header       Attribute          Description
 
 ------       ---------          -----------
 
 {clear}      User-Password      clear-text passwords
 
 {cleartext}  User-Password      clear-text passwords
 
 {crypt}      Crypt-Password     Unix-style "crypt"ed passwords
 
 {md5}        MD5-Password       MD5 hashed passwords
 
 {smd5}       SMD5-Password      MD5 hashed passwords, with a salt
 
 {sha}        SHA-Password       SHA1 hashed passwords
 
 {ssha}       SSHA-Password      SHA1 hashed passwords, with a salt
 
 {nt}         NT-Password        Windows NT hashed passwords
 
 {x-nthash}   NT-Password        Windows NT hashed passwords
 
 {lm}         LM-Password        Windows Lan Manager (LM) passwords.

The module tries to be flexible when handling the various password formats. It will automatically handle Base-64 encoded data, hex strings, and binary data, and convert them to a format that the server can use.

For backwards compatibility, there are old configuration parameters which may be work, although we do not recommend using them.

SECTIONS

authorize authenticate

FILES

/etc/raddb/radiusd.conf

SEE ALSO

radiusd(8), radiusd.conf(5)

AUTHOR

Alan DeKok <aland@freeradius.org>