Secondary radius server

Kevin Kadow (kadokev@ripco.com)
Fri, 11 Oct 1996 02:31:47 -0500 (CDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: William Bulley: "Re: Preventing dialup !root login"
Previous message: John Storms: "Re: IP & IPX on IRX & OR using Frame"
Next in thread: Jon Lewis: "Re: Secondary radius server"

> From: Jon Lewis <jlewis@inorganic5.fdt.net>
> Date: Fri, 11 Oct 1996 00:33:22 -0400 (EDT)
> Subject: Re: FAQ Secondary Radius Server
>
> On Thu, 10 Oct 1996, Ing. Felipe Tribaldos wrote:
>
> > What I want to do is copy the passwd and shadow files over to the
> > secondary server (a sparc 4 sol 2.4) and place them in say
> > /etc/raddb/bk.passwd and bk.shadow
> >
> > What do I need to modify in the Livingston Radius code to read from
> > as specific file other than /etc/shadow and /etc/password.
>
> This depends on your system, the libraries it uses, and on how much code
> you want to write. If you have a function that can basically say "hey,
> use this other passwd/shadow file for future getpw/getsp calls" then it's
> pretty easy to do. If you don't, then you have some options...you can try
> setting up a chrooted environment for the secondary radiusd, or write your
> own passwd/shadow lookup functions.

Few modern OSs have the 'setpwfile()' function, and none that I know of
will do it for shadow.

What you can do is grab a copy of any shadow login source and chop out
the getpwnam() and getspnam() functions, change where they look for the
file, and link them into your radiusd.

BTW, you also want to look at the code in those two functions where it
checks if the file is already open, and if not, reopens it. If you intend
to occasionally replace the 'passwd' and 'shadow' files, you want to
change the code so the files are CLOSED after each access, or else you
will need to KILL and restart radiusd every time you load a new copy of
those two files.

> > Another questions, since the shadow file contains both username and password
> > is it possible to use only that shadow file, or do I need also passwd.
>
> My hacked radiusd2 only needs /etc/raddb/shadow for doing authentication
> (and of course the other standard radiusd files).

I'd suggest using them both, just in case you delete a user from passwd
and forget to remove them from the shadow file.

While you're hacking up radiusd for your backup server, if you're using
the code for changing passwords (I hear this is removed in the forthcoming
release of Livingstons radius), you want to disable this on the backup
server, lest users get confused.

Next message: William Bulley: "Re: Preventing dialup !root login"
Previous message: John Storms: "Re: IP & IPX on IRX & OR using Frame"
Next in thread: Jon Lewis: "Re: Secondary radius server"