denying loggins

[Bob Stocker]

On Thu, 2002-03-14 at 14:50, Dale Herring wrote:
> Don't know if you guys can answer this one, but I have
> people that dial into my system and I use radius to
> authenticate them. What I want to do is to prevent
> some users from being able to login with a username
> but still be able to check their e-mail.
> I was thinkng if I gave them a /dev/null shell that
> would prevent it. But I can still connect with a user
> that has a /dev/null/  do i need to put more
> information someplace else?
> Or is there another way to prevent these people from
> getting authenticated for a connection, but still able
> to get e-mail.
> 
Hi there,
In your RADIUS users file you can specify name/password pairs for each
user that you want to be able to authenticate and remove the line
'DEFAULT Authentication-Type = <something, probably Realm or Unix-PW>'. 
Of course this means that you'll have a file with cleartext passwords
for your dialup users on your system, so the file should be readable
only by the user that runs radiusd.  
At an ISP where I worked we hacked radiusd a little so that it had its
own hashed passwd db to look at, but that's a lot easier to do on
FreeBSD than it is on Linux (FreeBSD had and may still have hardcoded
passwd db locations in pwd.h rather than using GlibC's setpwent() and
getpwent() like modern Linux does).
Anyway, hope that helps...

-Bob