1rlm_pap(5)                     FreeRADIUS Module                    rlm_pap(5)
2
3
4

NAME

6       rlm_pap - FreeRADIUS Module
7

DESCRIPTION

9       The rlm_pap module performs PAP authentication.
10
11       This  module performs authentication when the Access-Request contains a
12       User-Password attribute AND when a "known good" password has been  con‐
13       figured  for  the  user.   In  addition,  it takes care of decoding the
14       "known good" password from hex or Base64 encoding to a form it can  use
15       for authentication.
16
17       As  a  result,  as of 1.1.4, the "encryption_scheme" configuration item
18       SHOULD  NOT  BE  USED,  and  the  rlm_ldap  configuration  item  "pass‐
19       word_header"  SHOULD NOT BE USED.  Those items will continue to work in
20       1.1.4, and existing systems will work  un-changed  after  upgrading  to
21       1.1.4.   We  recommend,  though, that sites using multiple instances of
22       rlm_pap see if they can  replace  those  multiple  instances  with  one
23       instance,  using  the  new  "auto_header" configuration, and remove the
24       "password_header" configuration from rlm_ldap.
25
26       The configuration item(s):
27
28       auto_header
29              Automatically discover password headers.  Permitted  values  are
30              "yes"  and  "no".   For  backwards compatibility, the default is
31              "no".
32
33              The recommended value is "yes".
34
35       encryption_scheme
36              No longer used, and therefore no longer documented.
37
38       When "auto_header" is set to "yes", the module will look in the config‐
39       uration  list for the User-Password attribute or the new Password-With-
40       Header attribute.  If found, it will then look at the string  value  of
41       those attributes, for one of the following headers:
42
43            {clear}
44            {cleartext}
45            {crypt}
46            {md5}
47            {smd5}
48            {sha1}
49            {ssha1}
50            {nt}
51            {x-nthash}
52            {ns-mta-md5}
53
54       The  text  following  the header is taken as the "known good" password,
55       either cleartext, crypted, hashed, or hashed with a salt.  If the  text
56       is hex or Base64 encoded, it will be decoded to obtain the correct form
57       of the "known good" password.  The User-Password in the  Access-Request
58       will  then  be  crypted,  or hashed as appropriate, and compared to the
59       "known good" password.  If they match, the user is authenticated,  oth‐
60       erwise the module returns reject.
61

CAVEATS

63       In  order  for  the  "auto_header = yes" functionality to work, the pap
64       module MUST be listed LAST in the authorize  section  of  radiusd.conf.
65       This  lets  other modules such as LDAP blindly add a "known good" pass‐
66       word to the configuration items, and the PAP module will just figure it
67       out.   In  most cases, multiple instances of the PAP module, along with
68       complex logic to determine which one to call when, can be replaced with
69       one  instance  of the module, with it listed last in the authorize sec‐
70       tion.
71
72       Note that the ns_mta_md5 module is no  longer  necessary,  and  can  be
73       removed.
74
75       Also,  setting  "Auth-Type  = Local" or "Auth-Type = Crypt-Local" is no
76       longer necessary.  Any such settings SHOULD BE  DELETED.   Simply  list
77       pap  LAST  in  the  authorize section, and the module will take care of
78       figuring out what to do.  (Have we emphasized that enough?)
79
80       Another reason to list the module last is that it  will  take  care  of
81       normalizing  any  crypt'd or hashed password retrieved from a database.
82       So it is now safe to have clear-text passwords as "{clear}...", because
83       the PAP module will take care of removing the "{clear}" prefix from the
84       password.  Any other modules that need access to the cleartext password
85       will
86
87       The module uses a number of new attributes.
88
89       Password-With-Header
90              This  attribute  should  contain a "known good" password, with a
91              header such as "{crypt}, or "{md5}", etc.   It  should  be  used
92              when  the passwords retrieved from a DB may have different head‐
93              ers.  When pap is listed in the authorize  section,  the  module
94              will  examine  this  attribute,  and use it to create one of the
95              other attributes listed below.  That  other  attribute  is  then
96              used for authentication.
97
98              If the passwords in a DB do not have a header, and are always in
99              one particular form, then the attributes  listed  below  can  be
100              used  directly.   In  that  case,  the PAP module will do hex or
101              Base64 decoding of the attribute contents, if necessary.  So pap
102              should still be listed in the authorize section, because it will
103              enable the maximum flexibility for the server, and minimize con‐
104              figuration for the administrator.
105
106       Cleartext-Password
107              This  attribute  should contain the cleartext for a "known good"
108              password.  Previously, the  User-Password  attribute  was  over‐
109              loaded to contain this, both in the FAQ and in databases in many
110              sites.  Any configuration that sets  a  cleartext  form  of  the
111              password  using  User-Password SHOULD UPDATE to using Cleartext-
112              Password.  Doing so will simplify a number of debugging issues.
113
114       Crypt-Password
115              This attribute has been around for a while,  but  is  documented
116              here  for  completeness.   It  contains  the crypt'd form of the
117              password.
118
119       MD5-Password
120              This attribute contains the MD5 hashed form of the password.
121
122       SMD5-Password
123              This attribute contains the MD5 hashed  form  of  the  password,
124              with a salt.
125
126       SHA1-Password
127              This attribute contains the SHA1 hashed form of the password.
128
129       SSHA1-Password
130              This  attribute  contains  the SHA1 hashed form of the password,
131              with a salt.
132
133       NT-Password
134              This attribute has been around for a while,  but  is  documented
135              here  for  completeness.   It  contains  the NT hash form of the
136              password, as used by Active Directory and Samba.
137

SECTIONS

139       authorize authenticate
140

FILES

142       /etc/raddb/radiusd.conf
143

SEE ALSO

145       radiusd(8), radiusd.conf(5)
146

AUTHOR

148       Alan DeKok <aland@freeradius.org>
149
150
151
152                                3 February 2004                     rlm_pap(5)
Impressum