libexec/login_radius/login_radius.8

*41ce3b17Snaddy.\" $OpenBSD: login_radius.8,v 1.16 2022/03/31 17:27:18 naddy Exp $
4ac31360Smillert.\"
4ac31360Smillert.\" Copyright (c) 1996 Berkeley Software Design, Inc. All rights reserved.
4ac31360Smillert.\"
4ac31360Smillert.\" Redistribution and use in source and binary forms, with or without
4ac31360Smillert.\" modification, are permitted provided that the following conditions
4ac31360Smillert.\" are met:
4ac31360Smillert.\" 1. Redistributions of source code must retain the above copyright
4ac31360Smillert.\"    notice, this list of conditions and the following disclaimer.
4ac31360Smillert.\" 2. Redistributions in binary form must reproduce the above copyright
4ac31360Smillert.\"    notice, this list of conditions and the following disclaimer in the
4ac31360Smillert.\"    documentation and/or other materials provided with the distribution.
4ac31360Smillert.\" 3. All advertising materials mentioning features or use of this software
4ac31360Smillert.\"    must display the following acknowledgement:
4ac31360Smillert.\"	This product includes software developed by Berkeley Software Design,
4ac31360Smillert.\"	Inc.
4ac31360Smillert.\" 4. The name of Berkeley Software Design, Inc.  may not be used to endorse
4ac31360Smillert.\"    or promote products derived from this software without specific prior
4ac31360Smillert.\"    written permission.
4ac31360Smillert.\"
4ac31360Smillert.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND
4ac31360Smillert.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
4ac31360Smillert.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
4ac31360Smillert.\" ARE DISCLAIMED.  IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE
4ac31360Smillert.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
4ac31360Smillert.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
4ac31360Smillert.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
4ac31360Smillert.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
4ac31360Smillert.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
4ac31360Smillert.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
4ac31360Smillert.\" SUCH DAMAGE.
4ac31360Smillert.\"
4ac31360Smillert.\"	BSDI $From: login_radius.8,v 1.2 1996/11/11 18:42:02 prb Exp $
4ac31360Smillert.\"
*41ce3b17Snaddy.Dd $Mdocdate: March 31 2022 $
4ac31360Smillert.Dt LOGIN_RADIUS 8
4ac31360Smillert.Os
4ac31360Smillert.Sh NAME
4ac31360Smillert.Nm login_radius
1afaaab6Ssthen.Nd provide RADIUS authentication type
4ac31360Smillert.Sh SYNOPSIS
4ac31360Smillert.Nm login_radius
174e0a2eSmillert.Op Fl d
4ac31360Smillert.Op Fl s Ar service
9981753dSsobrado.Op Fl v Ar name Ns = Ns Ar value
4ac31360Smillert.Ar user
4ac31360Smillert.Op Ar class
4ac31360Smillert.Sh DESCRIPTION
4ac31360SmillertThe
4ac31360Smillert.Nm
1afaaab6Ssthenutility contacts a RADIUS server to authenticate a
501e2bc7Smillert.Ar user .
501e2bc7SmillertIf no
501e2bc7Smillert.Ar class
501e2bc7Smillertis specified, the login class will be obtained from the password database.
501e2bc7Smillert.Pp
4ac31360SmillertWhen executed as the name
501e2bc7Smillert.Pa login_ Ns Ar style ,
501e2bc7Smillert.Nm
1afaaab6Ssthenwill request that the RADIUS server use the authentication specified by
501e2bc7Smillert.Ar style .
4ac31360Smillert.Pp
9981753dSsobradoThe options are as follows:
4ac31360Smillert.Bl -tag -width indent
174e0a2eSmillert.It Fl d
174e0a2eSmillertDebug mode.
720a7a94SjmcOutput is sent to the standard output instead of the
720a7a94Sjmc.Bx
720a7a94SjmcAuthentication backchannel.
9981753dSsobrado.It Fl s Ar service
4ac31360SmillertSpecify the service.
4ac31360SmillertCurrently only
4ac31360Smillert.Li challenge ,
4ac31360Smillert.Li login ,
4ac31360Smillertand
4ac31360Smillert.Li response
4ac31360Smillertare supported.
9981753dSsobrado.It Fl v Ar name Ns = Ns Ar value
4ac31360SmillertThis option and its value are ignored.
4ac31360Smillert.El
4ac31360Smillert.Pp
4ac31360SmillertThe
4ac31360Smillert.Nm
1afaaab6Ssthenutility needs to know a shared secret for each RADIUS server it talks to.
4ac31360SmillertShared secrets are stored in the file
4ac31360Smillert.Pa /etc/raddb/servers
4ac31360Smillertwith the format:
4ac31360Smillert.Bd -literal -offset indent
4ac31360Smillertserver shared_secret
4ac31360Smillert.Ed
4ac31360Smillert.Pp
1afaaab6SsthenIt is expected that rather than requesting the RADIUS style directly
1afaaab6Ssthen(in which case the server uses a default style) that
4ac31360Smillert.Nm
4ac31360Smillertwill be linked to the various mechanisms desired.
4ac31360SmillertFor instance, to have all CRYPTOCard and ActivCard authentication take
29ec0a10Sjmcplace on a remote server via the RADIUS protocol, remove the
4ac31360Smillert.Pa login_activ
4ac31360Smillertand
4ac31360Smillert.Pa login_crypto
4ac31360Smillertmodules and link
4ac31360Smillert.Pa login_radius
4ac31360Smillertto both of those names.
4ac31360SmillertNow when the user requests one of those authentication styles,
4ac31360Smillert.Nm
1afaaab6Ssthenwill automatically forward the request to the remote RADIUS server
4ac31360Smillertand request it do the requested style of authentication.
501e2bc7Smillert.Sh LOGIN.CONF VARIABLES
501e2bc7SmillertThe
501e2bc7Smillert.Nm
1afaaab6Ssthenutility uses the following RADIUS-specific
4ac31360Smillert.Pa /etc/login.conf
501e2bc7Smillertvariables:
501e2bc7Smillert.Bl -tag -width radius-challenge-styles
9962a266Smillert.It radius-port
1afaaab6SsthenPort name or number to connect to on the RADIUS server.
501e2bc7Smillert.It radius-server
1afaaab6SsthenHostname of the RADIUS server to contact.
501e2bc7Smillert.It radius-server-alt
1afaaab6SsthenAlternate RADIUS server to use when the primary is not responding.
501e2bc7Smillert.It radius-challenge-styles
1afaaab6SsthenComma-separated list of authentication styles that the RADIUS server
501e2bc7Smillertknows about.
*41ce3b17SnaddyIf the user's authentication style is in this list, the challenge will
1afaaab6Ssthenbe provided by the RADIUS server.
501e2bc7SmillertIf not,
501e2bc7Smillert.Nm
501e2bc7Smillertwill prompt the user for the password before sending the request
1afaaab6Ssthen(along with the password) to the RADIUS server.
484d8f52Smillert.It radius-timeout
1afaaab6SsthenNumber of seconds to wait for a response from the RADIUS server.
501e2bc7SmillertDefaults to 2 seconds.
501e2bc7Smillert.It radius-retries
1afaaab6SsthenNumber of times to attempt to contact the RADIUS server before giving up
501e2bc7Smillert(or falling back to the alternate server if there is one).
501e2bc7SmillertDefaults to 6 tries.
501e2bc7Smillert.El
501e2bc7Smillert.Sh FILES
501e2bc7Smillert.Bl -tag -compact -width xetcxraddbxserversxx
501e2bc7Smillert.It Pa /etc/login.conf
501e2bc7Smillertlogin configuration database
501e2bc7Smillert.It Pa /etc/raddb/servers
1afaaab6Ssthenlist of RADIUS servers and their associated shared secrets
501e2bc7Smillert.El
4ac31360Smillert.Sh SEE ALSO
046e7ae9Smarc.Xr login 1 ,
1afaaab6Ssthen.Xr login.conf 5 ,
1afaaab6Ssthen.Xr radiusd 8
1afaaab6Ssthen.Sh STANDARDS
1afaaab6Ssthen.Rs
1afaaab6Ssthen.%A C. Rigney
1afaaab6Ssthen.%A S. Willens
1afaaab6Ssthen.%A A. Rubens
1afaaab6Ssthen.%A W. Simpson
1afaaab6Ssthen.%D June 2000
1afaaab6Ssthen.%R RFC 2865
1afaaab6Ssthen.%T "Remote Authentication Dial In User Service (RADIUS)"
1afaaab6Ssthen.Re
501e2bc7Smillert.Sh CAVEATS
0c1ccf3aSmillertFor
0c1ccf3aSmillert.Nm
0c1ccf3aSmillertto function, the
0c1ccf3aSmillert.Pa /etc/raddb
0c1ccf3aSmillertdirectory must be owned by group
0c1ccf3aSmillert.Dq _radius
0c1ccf3aSmillertand have group-execute permissions.
0c1ccf3aSmillertLikewise, the
0c1ccf3aSmillert.Pa /etc/raddb/servers
0c1ccf3aSmillertfile must be readable by group
0c1ccf3aSmillert.Dq _radius .