1 files changed, 137 insertions, 0 deletions
diff --git a/man/man5/rlm_pap.5 b/man/man5/rlm_pap.5
new file mode 100644
index 0000000..e2ad426
--- /dev/null
+++ b/man/man5/rlm_pap.5
@@ -0,0 +1,137 @@
+.\"     # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\"     # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_pap 5 "10 January 2015" "" "FreeRADIUS Module"
+.SH NAME
+rlm_pap \- FreeRADIUS Module
+.SH DESCRIPTION
+The \fIrlm_pap\fP module authenticates RADIUS Access-Request packets
+that contain a User-Password attribute.  The module should also be
+listed last in the \fIauthorize\fP section, so that it can set the
+Auth-Type attribute as appropriate.
+.PP
+When a RADIUS packet contains a clear-text password in the form of a
+User-Password attribute, the \fIrlm_pap\fP module may be used for
+authentication.  The module requires a "known good" password, which it
+uses to validate the password given in the RADIUS packet.  That "known
+good" password must be supplied by another module
+(e.g. \fIrlm_files\fP, \fIrlm_ldap\fP, etc.), and is usually taken
+from a database.
+.SH CONFIGURATION
+.PP
+The only configuration item is:
+.IP normalise
+The default is "yes".  This means that the module will try to
+automatically detect passwords that are hex- or base64-encoded and
+decode them back to their binary representation.  However, some clear
+text passwords may be erroneously converted.  Setting this to "no"
+prevents that conversion.
+.SH USAGE
+.PP
+The module looks for the Password-With-Header control attribute to find
+the "known good" password. The attribute value comprises the header
+followed immediately by the password data. The header is given by the
+following table.
+.PP
+.DS
+.br
+Header       Attribute           Description
+.br
+------       ---------           -----------
+.br
+{clear}      Cleartext-Password  Clear-text passwords
+.br
+{cleartext}  Cleartext-Password  Clear-text passwords
+.br
+{crypt}      Crypt-Password      Unix-style "crypt"ed passwords
+.br
+{md5}        MD5-Password        MD5 hashed passwords
+.br
+{base64_md5} MD5-Password        MD5 hashed passwords
+.br
+{smd5}       SMD5-Password       MD5 hashed passwords, with a salt
+.br
+{sha}        SHA-Password        SHA1 hashed passwords
+.br
+             SHA1-Password       SHA1 hashed passwords
+.br
+{ssha}       SSHA-Password       SHA1 hashed passwords, with a salt
+.br
+{sha2}       SHA2-Password       SHA2 hashed passwords
+.br
+{sha224}     SHA2-Password       SHA2 hashed passwords
+.br
+{sha256}     SHA2-Password       SHA2 hashed passwords
+.br
+{sha384}     SHA2-Password       SHA2 hashed passwords
+.br
+{sha512}     SHA2-Password       SHA2 hashed passwords
+.br
+{ssha224}    SSHA2-224-Password  SHA2 hashed passwords, with a salt
+.br
+{ssha256}    SSHA2-256-Password  SHA2 hashed passwords, with a salt
+.br
+{ssha384}    SSHA2-384-Password  SHA2 hashed passwords, with a salt
+.br
+{ssha512}    SSHA2-512-Password  SHA2 hashed passwords, with a salt
+.br
+{nt}         NT-Password         Windows NT hashed passwords
+.br
+{nthash}     NT-Password         Windows NT hashed passwords
+.br
+{md4}        NT-Password         Windows NT hashed passwords
+.br
+{x-nthash}   NT-Password         Windows NT hashed passwords
+.br
+{ns-mta-md5} NS-MTA-MD5-Password Netscape MTA MD5 hashed passwords
+.br
+{x- orcllmv} LM-Password         Windows LANMAN hashed passwords
+.br
+{X- orclntv} NT-Password         Windows NT hashed passwords
+.DE
+
+The module tries to be flexible when handling the various password
+formats.  It will automatically handle Base-64 encoded data, hex
+strings, and binary data, and convert them to a format that the server
+can use.
+.PP
+If there is no Password-With-Header attribute, the module looks for one
+of the Cleartext-Password, NT-Password, Crypt-Password, etc. attributes
+as listed in the above table. These attributes should contain the
+relevant format password directly, without the header prefix.
+.PP
+Only one control attribute should be set, otherwise behaviour is
+undefined as to which one is used for authentication.
+.SH NOTES
+.PP
+It is important to understand the difference between the User-Password
+and Cleartext-Password attributes.  The Cleartext-Password attribute
+is the "known good" password for the user.  Simply supplying the
+Cleartext-Password to the server will result in most authentication
+methods working.  The User-Password attribute is the password as typed
+in by the user on their private machine.  The two are not the same,
+and should be treated very differently.  That is, you should generally
+not use the User-Password attribute anywhere in the RADIUS
+configuration.
+.SH SECTIONS
+.BR authorize
+.BR authenticate
+.PP
+.SH FILES
+.I /etc/raddb/mods-available/pap
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+.SH AUTHOR
+Alan DeKok <aland@freeradius.org>
+