radcheckpassword

On this page: • Introduction   • Status/Warranty   • Download   • Installation   • To do   • Troubleshooting   • Archives

Introduction

This is a drop-in replacement for the checkpassword program typically used in qmail systems to authenticate from the system's /etc/passwd database. Instead of consulting this database, external Radius server(s) are consulted.

This program is based on the checkpassword system devised by Dan Bernstein, commonly used in qmail installations - see http://cr.yp.to/checkpwd.html for further details. It is written in C - but note that there is also a version written in Perl by a different author; part of the reason for writing this version in C is that I never got the Perl version working...

For multi-domain installations, you may like to know that this implementation is able to handle the "@" symbol in a username (for the scenario where you wish to have unique users fred@domain1 and fred@domain2) - the question then becomes whether the Radius server you're authenticating with can also handle "@" symbols. To the best of my knowledge, standard 1.16 Livingston and Ascend implementations cannot; Cistron 1.6.5 and Radiator can. UPDATE: Radius implementations have moved on since I wrote this paragraph and I haven't played with radcheckpassword lately. Therefore I'd be very interested to hear what current Radius implementations (including their version numbers) can handle "@" symbols in the name, and also whether you're successfully using radcheckpassword with them.

Radius uses standard MD5 encryption - and therefore so does this program - as well as some Radius client code that crops up in FreeBSD, written by Juniper Networks. It presupposes a single-UID setup: Since Radius is an external authentication system, the users are assumed not to relate to system users. This means that some means of working out where a user's [mail] directory is located will be needed. One possibility is the hashed-directory code I've written; for others checkout the qmail home page.

Status / Warranty

No warranty, express or implied is given - USE THIS SOFTWARE ENTIRELY AT YOUR OWN RISK. You will need to satisfy yourself as to the suitability of this software before deploying it in a production environment.

Download

The current release is version 0.1 - download it here as a gzipped tar or compressed tar archive (I'll put up other formats on request).

Installation

Installation details for the program are included in the distribution - see the README file. If you're wondering what platforms the program runs on, here's the list (if you get this program working on other systems, please let me know - reach me at radcpw-compat@acrconsulting.co.uk so that I can update this page - also let me know if any modifications were necessary).

• Version 0.1:

  This version is a patch to checkpassword 0.81. I haven't yet had the time to update it for the newer versions of checkpassword Dan has since produced - you should be able to do this yourself at a pinch, however, by patching 0.81, then generating a context-diff, and applying this to the newest version of checkpassword. If you're looking for checkpassword 0.81, it lurks on Dan's ftp server at cr.yp.to/software/checkpassword-0.81.tar.gz.

  • Linux - this is the default target platform. Should compile and work "Out of the box":
    • Red Hat 8.0
    • Debian 3.0 (2.4.18-SMP kernel)
    • SuSE 6.3 (2.2.13 kernel)
  • Solaris:
    • 2.7: Minor modifications are required, explained in the distribution
  • FreeBSD:
    • 4.4R: Add,
            #define NULL 0
      to radlib.h and change this line in Makefile
            patch -i rcpwd.patch radcheckpassword.c
      to,
            patch < rcpwd.patch radcheckpassword.c
      (thank you Murata Nobuhiro).

Patch for Worldgroup Radius: If you're using the Worldgroup Radius server, you'll need this patch (thank you Humberto Diogenes).

To do

(Nothing in this section at present)

Troubleshooting

If you have problems with this software, you may like to go through the following checklist,

• Is the Radius server you're trying to reach actually running?
• What port is the Radius server running on?
• What port are you using to reach the Radius server (see /etc/radius.conf; if no port is specified there, the 'radius' port from /etc/services is used; if 'radius' is not defined there, 1812 is used). Older Radius implementations typically use port 1645, so it may be worth trying that.
• What is the User-Service-Type (e.g. Login-user, Framed-User etc.) configured for the users you wish to authenticate? Does this match the radius_service_type specified in radcheckpassword.c?
• Have you used 'make install' to put the executable in /usr/local/bin, and when you call radcheckpassword, is this directory on the PATH?

Archives

Currently there are no earlier versions of this program.

This page last updated: AR, 6th February 2008.