rlm_unix

Synopsis

The unix module retrieves passwords and updates the radutmp module.

Note
Since version 1.1.0, the unix module does not read the /etc/passwd, /etc/shadow, or /etc/group files. To read and cache those files, see the passwd module.

Processing Sections

authorize

When listed in the authorize section, the unix module retrieves the user’s encrypted password and places it into the control:Crypt-Password attribute. The password is retrieved via the getpwent() and getspwent() system calls.

Due to security restrictions, the user’s password may not be available on modern systems. Using a database to store user account information is recommended. The unix module should not be used.

Return Codes

noop The request did not contain a user-Name attribute.

notfound The User-Name was not found in the system password database.

reject The user’s entry in the system password database was configured with the "deny shell", or their password has expired.

userlock The user’s entry in the system password database indicates that the account is locked.

fail The module was unable to create the control:Crypt-Password attribute.

updated The "known good" password is now available in the control:Crypt-Password attribute.

accounting

When listed in the accounting section, the unix module updates the radwtmp file, which tracks the users who have logged into an NAS.

Using the sql module to store user login information is recommended. The unix module should not be used.

Return Codes

noop There was no information available to record in radwtmp.

fail The module was unable to write to radwtmp.

ok The module successfully wrote login information to radwtmp.

Expansions

None.

Directives

radwtmp
Syntax

radwtmp = filename

Default

${logdir}/radwtmp

Description

The location of the wtmp file. This file is used only for radlast. If radlast is not used, then this item can be commented out.

Note
the radwtmp file may get large! It should be rotated via cp /dev/null radwtmp or just not used.