Discussion:
Pam radius authentication
d***@rdslink.ro
2006-10-12 09:28:39 UTC
Permalink
Hello!

I try to authenticate ssh users logins using pam_radius_auth.so.
On my RedHat 9 I have the following setup:
- freeradius server
- users file:
test Auth-Type := Local, User-Password == "test"

- clients.conf
client 127.0.0.1 {
secret = secret
shortname = localhost
}

-pam radius module
- cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so
account required pam_radius_auth.so debug
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
-cat /etc/raddb/server
127.0.0.1 secret 1


- pam_radius_auth.so is copied in /lib/security
-I created linux user test with home directory /home/test , without setting up a password
- freeradius started with radiusd -X

Problem is that, when I trie to connect to this machine using ssh, the radius server receives the request, processes it, sends access-accept, but the ssh session is ended, without the user being really logged in !!! I don't know the reason why the user gets rejected...

tail -f /var/log/secure
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1108551052.
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: Got RADIUS response code 2
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: authentication succeeded
Oct 12 11:06:27 D-Server sshd[26585]: Accepted password for test from 10.243.30.42 port 2847 ssh2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got user name test
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Sending RADIUS request code 1
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1108551052.
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got RADIUS response code 2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: authentication succeeded
Oct 12 11:28:30 D-Server sshd[26590]: Accepted password for test from 10.243.30.42 port 2881 ssh2

from radiusd -X :
rad_recv: Access-Request packet from host 127.0.0.1:27615, id=253, length=97
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "sshd"
NAS-Port = 26590
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "512wyse83.cosmote.rom"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry test at line 80
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 253 to 127.0.0.1 port 27615
Finished request 0

thank you!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
d***@rdslink.ro
2006-10-16 11:41:37 UTC
Permalink
anyone??? pls!!! no suggestions at all ? :(
Post by d***@rdslink.ro
Hello!
I try to authenticate ssh users logins using pam_radius_auth.so.
- freeradius server
test Auth-Type := Local, User-Password == "test"
- clients.conf
client 127.0.0.1 {
secret = secret
shortname = localhost
}
-pam radius module
- cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so
account required pam_radius_auth.so debug
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
-cat /etc/raddb/server
127.0.0.1 secret 1
- pam_radius_auth.so is copied in /lib/security
-I created linux user test with home directory /home/test , without setting up a password
- freeradius started with radiusd -X
Problem is that, when I trie to connect to this machine using ssh, the radius server receives the request, processes it, sends access-accept, but the ssh session is ended, without the user being really logged in !!! I don't know the reason why the user gets rejected...
tail -f /var/log/secure
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1108551052.
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: Got RADIUS response code 2
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: authentication succeeded
Oct 12 11:06:27 D-Server sshd[26585]: Accepted password for test from 10.243.30.42 port 2847 ssh2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got user name test
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Sending RADIUS request code 1
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1108551052.
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got RADIUS response code 2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: authentication succeeded
Oct 12 11:28:30 D-Server sshd[26590]: Accepted password for test from 10.243.30.42 port 2881 ssh2
rad_recv: Access-Request packet from host 127.0.0.1:27615, id=253, length=97
User-Name = "test"
User-Password = "test"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "sshd"
NAS-Port = 26590
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "512wyse83.cosmote.rom"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
users: Matched entry test at line 80
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 253 to 127.0.0.1 port 27615
Finished request 0
thank you!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A***@lboro.ac.uk
2006-10-16 12:19:51 UTC
Permalink
Hi,
Post by d***@rdslink.ro
anyone??? pls!!! no suggestions at all ? :(
I'd read the INSTALL doc that coems as part of the pam_radius
tool.
Post by d***@rdslink.ro
Post by d***@rdslink.ro
- cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so
account required pam_radius_auth.so debug
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
no. your invoking pam_radius_auth in the wrong place and for the wrong reason.
again the INSTALL is your friend.


your radius configuration appears to be correct

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
d***@rdslink.ro
2006-10-17 06:48:19 UTC
Permalink
First of all, thank you for your reply. Until now, you are the only one.

Now, let's take it step by step:

This is a part of INSTALL:
**********************************************************************
Redhat Linux > 5.0
**********************************************************************

make.

Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so

In the per-application configuration (/etc/pam.d/application) add:

auth sufficient /lib/security/pam_radius_auth.so

AFTER

auth required /lib/security/pam_securetty.so

and BEFORE

auth required /lib/security/pam_unix_auth.so

i.e.

auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_radius_auth.so
auth required /lib/security/pam_unix_auth.so

My linux is RedHat 9, so this part pertains to my machine : "Redhat Linux > 5.0"

"make.

Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so" - already did...

"In the per-application configuration (/etc/pam.d/application) add:" - I want to use pam radius to authenticate ssh logins, so "(/etc/pam.d/application)" becomes "/etc/pam.d/sshd"

"auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so"
-this part from INSTALL is identical to my /etc/pam.d/sshd...all of this modules deal with authentication ("auth"). pam_securetty verifies if root can login through tty by reading /etc/securetty. "required" means that this step is mandatory and that after this verification, the next authentication method will take place.
this is where pam_radius_auth comes. the messages are exchanged as explained in my my previuos e-mail. "sufficient" means that if this authentication succeeds, the following authentication methods will not be checked...in other terms: "auth required /lib/security/pam_unix_auth.so" will be passed.

I don't understand why you are saying that "you are invoking pam_radius_auth in the wrong place and for the wrong reason"...please, be more specific and if you know the right configuration, enlight me!

Again, any help would be appreciated!
Post by A***@lboro.ac.uk
Hi,
Post by d***@rdslink.ro
anyone??? pls!!! no suggestions at all ? :(
I'd read the INSTALL doc that coems as part of the pam_radius
tool.
Post by d***@rdslink.ro
Post by d***@rdslink.ro
- cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so
account required pam_radius_auth.so debug
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
no. your invoking pam_radius_auth in the wrong place and for the wrong reason.
again the INSTALL is your friend.
your radius configuration appears to be correct
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A***@lboro.ac.uk
2006-10-17 17:53:12 UTC
Permalink
Hi,
Post by d***@rdslink.ro
I don't understand why you are saying that "you are invoking pam_radius_auth in the wrong place and for the wrong reason"...please, be more specific and if you know the right configuration, enlight me!
Post by d***@rdslink.ro
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so
account required pam_radius_auth.so debug
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

explain

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
d***@rdslink.ro
2006-10-17 19:43:40 UTC
Permalink
Hi!
if you are reffering to this line:
"account required pam_radius_auth.so debug"
than here is the explanation:
"The pam configuration can be:
...
auth sufficient /lib/security/pam_radius_auth.so [options]
...
account sufficient /lib/security/pam_radius_auth.so"
(this is taken from http://www.freeradius.org/pam_radius_auth/USAGE)

On the other hand, I don't care if I don't use this module for accounting. As a matter of fact, I tried in many configurations, even without using it for accounting.
The main concern is to succed in authetincating the users!!! if anyone can help me accomplish that, I would be happy and I will not mind about accounting...
Post by A***@lboro.ac.uk
Hi,
Post by d***@rdslink.ro
I don't understand why you are saying that "you are invoking pam_radius_auth in the wrong place and for the wrong reason"...please, be more specific and if you know the right configuration, enlight me!
Post by d***@rdslink.ro
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so
account required pam_radius_auth.so debug
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
explain
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
d***@rdslink.ro
2006-10-20 06:34:10 UTC
Permalink
Isn't there anyone who tried this implementation?
Post by d***@rdslink.ro
Hi!
"account required pam_radius_auth.so debug"
...
auth sufficient /lib/security/pam_radius_auth.so [options]
...
account sufficient /lib/security/pam_radius_auth.so"
(this is taken from http://www.freeradius.org/pam_radius_auth/USAGE)
On the other hand, I don't care if I don't use this module for accounting. As a matter of fact, I tried in many configurations, even without using it for accounting.
The main concern is to succed in authetincating the users!!! if anyone can help me accomplish that, I would be happy and I will not mind about accounting...
Post by A***@lboro.ac.uk
Hi,
Post by d***@rdslink.ro
I don't understand why you are saying that "you are invoking pam_radius_auth in the wrong place and for the wrong reason"...please, be more specific and if you know the right configuration, enlight me!
Post by d***@rdslink.ro
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so
account required pam_radius_auth.so debug
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
explain
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Continue reading on narkive:
Search results for 'Pam radius authentication' (Questions and Answers)
7
replies
Is a Radiator, Water-cooling????
started 2007-07-02 08:13:25 UTC
laptops & notebooks
Loading...