> For all you radiusd hackers:
>
> In the routine unix_pass() in radiusd.c, there's an unnecessary call to
> getpwnam() if you're using shadow passwords. getpwnam() is called only
> to check that the password field is "x", which it always should be.
Actually, right after that getpwnam call, I check to see if the user
has a valid shell, what group they are in, and what the "other" attributes
(in the gecos) field are set to. No shell, no login. Wrong group, no PPP
or Slip, wrong comment, no ISDN or restricted to one channel, allow two
channels, allow multiple channels. The possibilities are endless.
Shadow password functions divide the gecos field into 5 subfields,
separated by commas.
test:x:3553:100:Test User,Office,555-1212,777-7777,Shell:/home/test:/bin/sh
Name Room# work # home # other
The users cannot change that last sub-field (the "other" field). We use
it as an account designator.
> getpwnam() is relatively expensive on a huge password file.
Then use a replacement for it, or use a separate radius server. My primary
radius server is a Sparc 2 with 32MB ram. Cost me a whopping $1350.00 on
the used market. That's all I use it for. Currently up over 75 days.
Searches 2500+ entries in milliseconds. When it gets slower, I'll cook up
a DB scheme (actually shadow already supports this) to get the speed
back. I have very few entries in the radius users file, almost everything
gets validated via the password entries.
Later,
-----------------------------------------------------------------------------
Joe Portman - Alternate Access Inc. Affordable, Reliable Internet
baron@aa.net Mercer Island: (206) 230-8732 Seattle: (206) 443-3408
Tacoma: (206) 927-6010 Federal Way: (206) 838-8457
Bellevue: (206) 455-8414 Olympia : (360) 458-7279
For free trial account: set modem to 8-n-1, login as "new"
For questions or support, call our voice line (206) 728-9585.
-----------------------------------------------------------------------------