-
Notifications
You must be signed in to change notification settings - Fork 13
/
pam_radius_auth.conf
61 lines (61 loc) · 2.72 KB
/
pam_radius_auth.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# pam_radius_auth configuration file.
#
# See 'man pam_radius_auth.conf pam_radius_auth'
#
# For proper security, this file SHOULD have permissions 0600,
# that is readable by root, and NO ONE else. If anyone other than
# root can read this file, then they can spoof responses from the server!
#
# There are 2-4 fields per line in this file. There may be multiple
# lines. Blank lines or lines beginning with '#' are treated as
# comments, and are ignored. The fields are:
#
# server[:port] secret [timeout] [src_ip]
#
# The port name or number is optional. The default port name is
# "radius", and "radacct" for accounting. They are looked up
# in the services database (e.g., /etc/services)
# The timeout field is optional; the default timeout is 3 seconds.
# If the port is specified as numeric, port+1 is used as the accounting
# port. If a name is used for the port that is not "radius", "radacct"
# is still used for accounting.
# There is no way to specify the port to be used for accounting.
#
# For IPv6 literal addresses, the address has to be surrounded by
# square brackets as usual. E.g. [2001:0db8:85a3::4].
#
# If multiple RADIUS server lines exist, they are tried in order. The
# first server to return success or failure causes the module to return
# success or failure. Only if a server fails to response is it skipped,
# and the next server in turn is used.
#
# The optional timeout field controls how many seconds the module waits before
# deciding that the server has failed to respond. It currently must be
# less than 60.
#
# The optional src_ip may be used to configure the source IP address used
# in the RADIUS packets to the server. The timeout field must be set if
# setting the source IP address is desired
#
# server[:port] shared_secret timeout (secs) src_ip
# 127.0.0.1 secret 1
# other-server other-secret 3 192.168.3.4
# [2001:0db8:85a3::4]:1812 other6-secret 1
#
# This allows the radius client to work when a management VRF is in use.
# The syntax is "vrf-name" (keyword) followed by the VRF name, typically "mgmt"
# Since the keyword has an illegal character for a hostname ('-'), this can't
# conflict with a valid hostname
# vrf-name mgmt
#
# Set the minimum privilege level in VSA attribute shell:priv-lvl=VALUE
# to be considered a # privileged login (ability to configure via
# nclu 'net' commands, and able to sudo. The default is 15, range is 0-15.
# priv-lvl 15
#
# Uncomment to enable debugging, can be used instead of altering pam files
# debug
#
# Account for privileged radius user mapping. If you change it here, you need
# to change /etc/nss_mapuser.conf as well
mapped_priv_user radius_priv_user