On Tue, Aug 23, 2011 at 11:51:56AM +0000, Stuart Henderson wrote: > On 2011-08-22, Antoine Jacoutot <ajacou...@bsdfrog.org> wrote: > > On Mon, 22 Aug 2011, Todd T. Fries wrote: > > > >> I'm not sure where this should go other than 'common knowledge to anyone > >> using system authentication in OpenBSD and freeradius' but .. > >> > >> When one sets up freeradius to authenticate users based on system accounts, > >> one should take care to set the following in radiusd.conf: > >> > >> group = _shadow > >> > >> instead of the default: > >> > >> group = _freeradius > >> > >> which does not permit access to e.g. /etc/spwd.db and therefore silently > >> fails to authenticate any system user. > >> > >> If there is an appropriate place to document this, please let me know, and > >> I'll happily write it up. > > > > Aren't you always the first one asking for sane defaults ;-) > > Why don't you patch radiusd.conf in the port so that is uses _shadow? > > > > I don't think that it's all that common to use system accounts as > a backend for radius, I think the current default (i.e. not allowing > the daemon access to spwd.db without special configuration) is sane, > personally I'd rather have this documented in a README than change > the default config.
I agree with Stuart. And alternatively, you can simply add the _freeradius user to the _shadow group to give it permission without changing the port or current permissions.
