summaryrefslogtreecommitdiffstats
path: root/man/man5/rlm_pap.5
diff options
context:
space:
mode:
Diffstat (limited to 'man/man5/rlm_pap.5')
-rw-r--r--man/man5/rlm_pap.5137
1 files changed, 137 insertions, 0 deletions
diff --git a/man/man5/rlm_pap.5 b/man/man5/rlm_pap.5
new file mode 100644
index 0000000..e2ad426
--- /dev/null
+++ b/man/man5/rlm_pap.5
@@ -0,0 +1,137 @@
+.\" # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\" # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_pap 5 "10 January 2015" "" "FreeRADIUS Module"
+.SH NAME
+rlm_pap \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_pap\fP module authenticates RADIUS Access-Request packets
+that contain a User-Password attribute. The module should also be
+listed last in the \fIauthorize\fP section, so that it can set the
+Auth-Type attribute as appropriate.
+.PP
+When a RADIUS packet contains a clear-text password in the form of a
+User-Password attribute, the \fIrlm_pap\fP module may be used for
+authentication. The module requires a "known good" password, which it
+uses to validate the password given in the RADIUS packet. That "known
+good" password must be supplied by another module
+(e.g. \fIrlm_files\fP, \fIrlm_ldap\fP, etc.), and is usually taken
+from a database.
+.SH CONFIGURATION
+.PP
+The only configuration item is:
+.IP normalise
+The default is "yes". This means that the module will try to
+automatically detect passwords that are hex- or base64-encoded and
+decode them back to their binary representation. However, some clear
+text passwords may be erroneously converted. Setting this to "no"
+prevents that conversion.
+.SH USAGE
+.PP
+The module looks for the Password-With-Header control attribute to find
+the "known good" password. The attribute value comprises the header
+followed immediately by the password data. The header is given by the
+following table.
+.PP
+.DS
+.br
+Header Attribute Description
+.br
+------ --------- -----------
+.br
+{clear} Cleartext-Password Clear-text passwords
+.br
+{cleartext} Cleartext-Password Clear-text passwords
+.br
+{crypt} Crypt-Password Unix-style "crypt"ed passwords
+.br
+{md5} MD5-Password MD5 hashed passwords
+.br
+{base64_md5} MD5-Password MD5 hashed passwords
+.br
+{smd5} SMD5-Password MD5 hashed passwords, with a salt
+.br
+{sha} SHA-Password SHA1 hashed passwords
+.br
+ SHA1-Password SHA1 hashed passwords
+.br
+{ssha} SSHA-Password SHA1 hashed passwords, with a salt
+.br
+{sha2} SHA2-Password SHA2 hashed passwords
+.br
+{sha224} SHA2-Password SHA2 hashed passwords
+.br
+{sha256} SHA2-Password SHA2 hashed passwords
+.br
+{sha384} SHA2-Password SHA2 hashed passwords
+.br
+{sha512} SHA2-Password SHA2 hashed passwords
+.br
+{ssha224} SSHA2-224-Password SHA2 hashed passwords, with a salt
+.br
+{ssha256} SSHA2-256-Password SHA2 hashed passwords, with a salt
+.br
+{ssha384} SSHA2-384-Password SHA2 hashed passwords, with a salt
+.br
+{ssha512} SSHA2-512-Password SHA2 hashed passwords, with a salt
+.br
+{nt} NT-Password Windows NT hashed passwords
+.br
+{nthash} NT-Password Windows NT hashed passwords
+.br
+{md4} NT-Password Windows NT hashed passwords
+.br
+{x-nthash} NT-Password Windows NT hashed passwords
+.br
+{ns-mta-md5} NS-MTA-MD5-Password Netscape MTA MD5 hashed passwords
+.br
+{x- orcllmv} LM-Password Windows LANMAN hashed passwords
+.br
+{X- orclntv} NT-Password Windows NT hashed passwords
+.DE
+
+The module tries to be flexible when handling the various password
+formats. It will automatically handle Base-64 encoded data, hex
+strings, and binary data, and convert them to a format that the server
+can use.
+.PP
+If there is no Password-With-Header attribute, the module looks for one
+of the Cleartext-Password, NT-Password, Crypt-Password, etc. attributes
+as listed in the above table. These attributes should contain the
+relevant format password directly, without the header prefix.
+.PP
+Only one control attribute should be set, otherwise behaviour is
+undefined as to which one is used for authentication.
+.SH NOTES
+.PP
+It is important to understand the difference between the User-Password
+and Cleartext-Password attributes. The Cleartext-Password attribute
+is the "known good" password for the user. Simply supplying the
+Cleartext-Password to the server will result in most authentication
+methods working. The User-Password attribute is the password as typed
+in by the user on their private machine. The two are not the same,
+and should be treated very differently. That is, you should generally
+not use the User-Password attribute anywhere in the RADIUS
+configuration.
+.SH SECTIONS
+.BR authorize
+.BR authenticate
+.PP
+.SH FILES
+.I /etc/raddb/mods-available/pap
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+.SH AUTHOR
+Alan DeKok <aland@freeradius.org>
+