pam_radius_auth - PAM module for RADIUS authentication
The pam_radius_auth module implements the pam_sm_authenticate() function, which provides functionality to the PAM authentication stack. It may be used alone or stacked after another module, typically pam_unix_auth, to provide an additional authentication factor. The pam_sm_authenticate() function encodes the user's password or authentication token per RFCs 2865, 6613, and 6614, sends a RADIUS access request to the server, and validates the response. The module can be configured either to prompt the user for a password, or to use the value saved in PAM_AUTHTOK by a previous module. If the RADIUS server issues a challenge rather than accept or reject result, the module will continue the PAM conversation, prompting the user for a response to the challenge, and issues a new access request to the server. This may result in the user being prompted for multiple authentication tokens. In this case, the prompt seen by the user typically originates from the RADIUS server.
If the RADIUS server issues a challenged rather than a simple accept or reject result, the module will continue the PAM conversation, prompting the user for a response to the challenge, and issue a new access request to the server.
Authentication service modules must implement both pam_sm_authenticate() and pam_sm_setcred() functions. To allow the authentication portion of UNIX authentication to be replaced, the pam_sm_setcred() function in this module always returns PAM_IGNORE. This module should be stacked with the pam_unix_cred function to ensure a successful return from the pam_setcred function. For more information, see the pam_setcred(3PAM) man page.
The following options can be passed to the module:
The absolute path of the radius configuration file. The default location is /etc/inet/pam_radius.conf. The svc:/system/radius/client:default service instance automatically generates this configuration file at the default location.
If set, this PAM module uses the password string saved in PAM_AUTHTOK, rather than prompting for a new password.
Echoes the characters entered by the user when prompted for a password. This value may be set when it is expected that the user is entering an OTP or challenge response that does not need to be kept secret. This option is ignored if use_authtok is set.
Turn off warning messages.
syslog debugging information at LOG_DEBUG level. For more information, see the syslog(3C) man page.
Configuration is performed by modifying properties of the SMF service, svc:/system/network/radius/client:default. The following variables provide configuration and customization of the pam_radius_auth modules behavior:
pam_radius_conf/path astring
Controls the location of the configuration file generated by this service instance. Combined with the config_file option to the PAM module, this is used to create different instances of the radius or client service participating in different RADIUS configurations.
config/timeout integer
Timeout waiting for a response from each RADIUS server. Defaults to 10 seconds.
config/nas_id astring
Network Access Server identifier sent to RADIUS server. Defaults to hostname.
TLS related parameters - config/client_cert_file astring - config/client_key_file astring - config/ca_path astring
Certificates and key files are in PEM format with appropriate begin or end guards. The file designated by client_cert_file must begin with the client's end-entity certificate, followed by all necessary intermediate certificates. ca_path may be either a file containing the concatenation of all trusted CA certificates or a directory containing distinct certificate files. If a directory is used, it must be populated with symlinks appropriate for use by openssl. This is typically done by running the c_rehash command on that directory.
config/ciphers
Allows the set of TLS ciphers used by using the openssl to be overridden. For more information, see the openssl ciphers man page.
config/tls_version_min
Sets the minimum TLS version. Valid values are 1.1 and 1.2. The default is 1.1.
config/show_radius_replies boolean
Should the module display reply messages be included in the ACCESS-ACCEPT or ACCESS-REJECT from the RADIUS server? Defaults to true.
config/passwd_prompt_string ustring
The prompt is used when the pam_radius_auth module initially prompts the user for a password or other authentication token. This value is ignored if the use_authtok option is set for the module in the PAM policy.
config/chal_prompt_string ustring
Override the challenge prompt supplied by the RADIUS server.
Server parameters
The PAM module supports up to 5 radius servers. Multiple servers are supported to enable availability in cases where one or more servers can be down or unreachable. The selected server may be unpredictable and should not be relied upon.
config/server_list host
Names or IP addresses of RADIUS servers, with optional port number e.g. "server1 server2:1812 192.168.0.2 [2001::45]:2083"
config/secret/radius ustring
Shared secret for RADIUS server, an ASCII string. The RADIUS secret is not used for TLS and should not be set in that case. This property group requires the authorization solaris.radius.secret.read to read.
The following error codes are returned from the pam_sm_authenticate() function:
Authentication failure
Memory buffer error
Ignores module not participating in result
Permission denied
Successfully authenticated the user
System error
No account present for user
The following error code is returned from the pam_sm_setcred() function:
Ignores this module regardless of the control flag
libpam(3LIB), pam(3PAM), pam_authenticate(3PAM), pam_setcred(3PAM), pam_get_item(3PAM), pam.conf(5), pam_authtok_get(7), openssl(7)