diff options
Diffstat (limited to 'man/man5/rlm_pap.5')
-rw-r--r-- | man/man5/rlm_pap.5 | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/man/man5/rlm_pap.5 b/man/man5/rlm_pap.5 new file mode 100644 index 0000000..e2ad426 --- /dev/null +++ b/man/man5/rlm_pap.5 @@ -0,0 +1,137 @@ +.\" # DS - begin display +.de DS +.RS +.nf +.sp +.. +.\" # DE - end display +.de DE +.fi +.RE +.sp +.. +.TH rlm_pap 5 "10 January 2015" "" "FreeRADIUS Module" +.SH NAME +rlm_pap \- FreeRADIUS Module +.SH DESCRIPTION +The \fIrlm_pap\fP module authenticates RADIUS Access-Request packets +that contain a User-Password attribute. The module should also be +listed last in the \fIauthorize\fP section, so that it can set the +Auth-Type attribute as appropriate. +.PP +When a RADIUS packet contains a clear-text password in the form of a +User-Password attribute, the \fIrlm_pap\fP module may be used for +authentication. The module requires a "known good" password, which it +uses to validate the password given in the RADIUS packet. That "known +good" password must be supplied by another module +(e.g. \fIrlm_files\fP, \fIrlm_ldap\fP, etc.), and is usually taken +from a database. +.SH CONFIGURATION +.PP +The only configuration item is: +.IP normalise +The default is "yes". This means that the module will try to +automatically detect passwords that are hex- or base64-encoded and +decode them back to their binary representation. However, some clear +text passwords may be erroneously converted. Setting this to "no" +prevents that conversion. +.SH USAGE +.PP +The module looks for the Password-With-Header control attribute to find +the "known good" password. The attribute value comprises the header +followed immediately by the password data. The header is given by the +following table. +.PP +.DS +.br +Header Attribute Description +.br +------ --------- ----------- +.br +{clear} Cleartext-Password Clear-text passwords +.br +{cleartext} Cleartext-Password Clear-text passwords +.br +{crypt} Crypt-Password Unix-style "crypt"ed passwords +.br +{md5} MD5-Password MD5 hashed passwords +.br +{base64_md5} MD5-Password MD5 hashed passwords +.br +{smd5} SMD5-Password MD5 hashed passwords, with a salt +.br +{sha} SHA-Password SHA1 hashed passwords +.br + SHA1-Password SHA1 hashed passwords +.br +{ssha} SSHA-Password SHA1 hashed passwords, with a salt +.br +{sha2} SHA2-Password SHA2 hashed passwords +.br +{sha224} SHA2-Password SHA2 hashed passwords +.br +{sha256} SHA2-Password SHA2 hashed passwords +.br +{sha384} SHA2-Password SHA2 hashed passwords +.br +{sha512} SHA2-Password SHA2 hashed passwords +.br +{ssha224} SSHA2-224-Password SHA2 hashed passwords, with a salt +.br +{ssha256} SSHA2-256-Password SHA2 hashed passwords, with a salt +.br +{ssha384} SSHA2-384-Password SHA2 hashed passwords, with a salt +.br +{ssha512} SSHA2-512-Password SHA2 hashed passwords, with a salt +.br +{nt} NT-Password Windows NT hashed passwords +.br +{nthash} NT-Password Windows NT hashed passwords +.br +{md4} NT-Password Windows NT hashed passwords +.br +{x-nthash} NT-Password Windows NT hashed passwords +.br +{ns-mta-md5} NS-MTA-MD5-Password Netscape MTA MD5 hashed passwords +.br +{x- orcllmv} LM-Password Windows LANMAN hashed passwords +.br +{X- orclntv} NT-Password Windows NT hashed passwords +.DE + +The module tries to be flexible when handling the various password +formats. It will automatically handle Base-64 encoded data, hex +strings, and binary data, and convert them to a format that the server +can use. +.PP +If there is no Password-With-Header attribute, the module looks for one +of the Cleartext-Password, NT-Password, Crypt-Password, etc. attributes +as listed in the above table. These attributes should contain the +relevant format password directly, without the header prefix. +.PP +Only one control attribute should be set, otherwise behaviour is +undefined as to which one is used for authentication. +.SH NOTES +.PP +It is important to understand the difference between the User-Password +and Cleartext-Password attributes. The Cleartext-Password attribute +is the "known good" password for the user. Simply supplying the +Cleartext-Password to the server will result in most authentication +methods working. The User-Password attribute is the password as typed +in by the user on their private machine. The two are not the same, +and should be treated very differently. That is, you should generally +not use the User-Password attribute anywhere in the RADIUS +configuration. +.SH SECTIONS +.BR authorize +.BR authenticate +.PP +.SH FILES +.I /etc/raddb/mods-available/pap +.PP +.SH "SEE ALSO" +.BR radiusd (8), +.BR radiusd.conf (5) +.SH AUTHOR +Alan DeKok <aland@freeradius.org> + |