This file is indexed.

/usr/share/doc/freeradius/modules/rlm_pam is in freeradius 3.0.16+dfsg-1ubuntu3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
		PAM Support for FreeRadius


0. INTRODUCTION

   PAM support was done by Jeph Blaize. Miguel a.l. Paraz <map@iphil.net>
   ported it to FreeRADIUS' parent, Cistron-Radius. Chris Dent <cdent@kiva.net>
   added the Pam-Auth attribute.

1. USAGE

   Use Auth-Type = Pam in the users file.  You cannot use User-Password = "PAM"
   as in other radius servers. Sorry.

   You can also use ``Pam-Auth = "somestring"'' to specify an entry in
   /etc/pam.d. The default is "radius".

   Compile and install freeradius with pam support (./configure --help
   will tell you how)

   Within your radiusd.conf file, in the 'modules' section, make sure
   that the pam section is enabled:

        pam {
                #
                #  The name to use for PAM authentication.
                #  PAM looks in /etc/pam.d/${pam_auth_name}
                #  for it's configuration.
                #
                #  Note that any Pam-Auth attribute set in the 'users'
                #  file over-rides this one.
                #
                pam_auth = radiusd
        }

   In the 'authenticate' section, do the same:

   authenticate {
    # Uncomment this if you want to use PAM (Auth-Type = PAM)
        pam
	...


   In your /etc/pam.d/ directory create a file called radiusd with the
   following contents (or whatever you want for your pam configuration,
   this seems to work for me):

#%PAM-1.0
auth       required     /lib/security/pam_unix_auth.so shadow md5 nullok
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_unix_acct.so
password   required     /lib/security/pam_cracklib.so
password   required     /lib/security/pam_unix_passwd.so shadow md5 nullok use_authtok
session    required     /lib/security/pam_unix_session.so


   If you don't want to run your freeradius server in debug mode as
   root (ie, run as an unpriviledged user) you will need to run
   freeradius with a group membership that is able to read the
   /etc/shadow file - otherwise pam will be unable to read the
   /etc/shadow file and will fail. I suggest a group called 'shadow' or
   the like.

   $ chgrp /etc/shadow shadow
   $ chmod g+w /etc/shadow

   And in the radiusd.conf file:

   #  On systems with shadow passwords, you might have to set 'group = shadow'
   #  for the server to be able to read the shadow password file.
   #
   # Change below to suit your setup.
   user = radius
   group = shadow


   Please understand that giving anything except root read permissions
   to the /etc/shadow file is something that you want to think a bit
   upon!!

2. NOTES

   None.

3. TODO:

   Real PAM support, figure out how we can write a module that will make
   it blend in with PAM more seamlessly.  With this, we can replace the
   DENY_SHELL with something more flexible such as a database.

4. EXAMPLE:

DEFAULT Auth-Type = Pam,  NAS-IP-Address = 206.97.64.5
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-IP-Address = 255.255.255.254,
	Filter-Id = "std.ppp",
	Framed-MTU = 1500,
	Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Auth-Type = Pam,  Pam-Auth = "radius2", NAS-IP-Address = 127.0.0.1
	Service-Type = Framed-User,
	Framed-Protocol = PPP,
	Framed-IP-Address = 255.255.255.254,
	Filter-Id = "std.ppp",
	Framed-MTU = 1500,
	Framed-Compression = Van-Jacobson-TCP-IP