1.\" $OpenBSD: login_radius.8,v 1.16 2022/03/31 17:27:18 naddy Exp $ 2.\" 3.\" Copyright (c) 1996 Berkeley Software Design, Inc. All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. All advertising materials mentioning features or use of this software 14.\" must display the following acknowledgement: 15.\" This product includes software developed by Berkeley Software Design, 16.\" Inc. 17.\" 4. The name of Berkeley Software Design, Inc. may not be used to endorse 18.\" or promote products derived from this software without specific prior 19.\" written permission. 20.\" 21.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND 22.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24.\" ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE 25.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31.\" SUCH DAMAGE. 32.\" 33.\" BSDI $From: login_radius.8,v 1.2 1996/11/11 18:42:02 prb Exp $ 34.\" 35.Dd $Mdocdate: March 31 2022 $ 36.Dt LOGIN_RADIUS 8 37.Os 38.Sh NAME 39.Nm login_radius 40.Nd provide RADIUS authentication type 41.Sh SYNOPSIS 42.Nm login_radius 43.Op Fl d 44.Op Fl s Ar service 45.Op Fl v Ar name Ns = Ns Ar value 46.Ar user 47.Op Ar class 48.Sh DESCRIPTION 49The 50.Nm 51utility contacts a RADIUS server to authenticate a 52.Ar user . 53If no 54.Ar class 55is specified, the login class will be obtained from the password database. 56.Pp 57When executed as the name 58.Pa login_ Ns Ar style , 59.Nm 60will request that the RADIUS server use the authentication specified by 61.Ar style . 62.Pp 63The options are as follows: 64.Bl -tag -width indent 65.It Fl d 66Debug mode. 67Output is sent to the standard output instead of the 68.Bx 69Authentication backchannel. 70.It Fl s Ar service 71Specify the service. 72Currently only 73.Li challenge , 74.Li login , 75and 76.Li response 77are supported. 78.It Fl v Ar name Ns = Ns Ar value 79This option and its value are ignored. 80.El 81.Pp 82The 83.Nm 84utility needs to know a shared secret for each RADIUS server it talks to. 85Shared secrets are stored in the file 86.Pa /etc/raddb/servers 87with the format: 88.Bd -literal -offset indent 89server shared_secret 90.Ed 91.Pp 92It is expected that rather than requesting the RADIUS style directly 93(in which case the server uses a default style) that 94.Nm 95will be linked to the various mechanisms desired. 96For instance, to have all CRYPTOCard and ActivCard authentication take 97place on a remote server via the RADIUS protocol, remove the 98.Pa login_activ 99and 100.Pa login_crypto 101modules and link 102.Pa login_radius 103to both of those names. 104Now when the user requests one of those authentication styles, 105.Nm 106will automatically forward the request to the remote RADIUS server 107and request it do the requested style of authentication. 108.Sh LOGIN.CONF VARIABLES 109The 110.Nm 111utility uses the following RADIUS-specific 112.Pa /etc/login.conf 113variables: 114.Bl -tag -width radius-challenge-styles 115.It radius-port 116Port name or number to connect to on the RADIUS server. 117.It radius-server 118Hostname of the RADIUS server to contact. 119.It radius-server-alt 120Alternate RADIUS server to use when the primary is not responding. 121.It radius-challenge-styles 122Comma-separated list of authentication styles that the RADIUS server 123knows about. 124If the user's authentication style is in this list, the challenge will 125be provided by the RADIUS server. 126If not, 127.Nm 128will prompt the user for the password before sending the request 129(along with the password) to the RADIUS server. 130.It radius-timeout 131Number of seconds to wait for a response from the RADIUS server. 132Defaults to 2 seconds. 133.It radius-retries 134Number of times to attempt to contact the RADIUS server before giving up 135(or falling back to the alternate server if there is one). 136Defaults to 6 tries. 137.El 138.Sh FILES 139.Bl -tag -compact -width xetcxraddbxserversxx 140.It Pa /etc/login.conf 141login configuration database 142.It Pa /etc/raddb/servers 143list of RADIUS servers and their associated shared secrets 144.El 145.Sh SEE ALSO 146.Xr login 1 , 147.Xr login.conf 5 , 148.Xr radiusd 8 149.Sh STANDARDS 150.Rs 151.%A C. Rigney 152.%A S. Willens 153.%A A. Rubens 154.%A W. Simpson 155.%D June 2000 156.%R RFC 2865 157.%T "Remote Authentication Dial In User Service (RADIUS)" 158.Re 159.Sh CAVEATS 160For 161.Nm 162to function, the 163.Pa /etc/raddb 164directory must be owned by group 165.Dq _radius 166and have group-execute permissions. 167Likewise, the 168.Pa /etc/raddb/servers 169file must be readable by group 170.Dq _radius . 171