ssh authentication failed problem use freeradius & pam

Discussion:

ssh authentication failed problem use freeradius & pam_radius

小牧

2012-05-05 10:43:42 UTC

Hi everyone,

I am trying to use pam_radius to authenticate SSH login.My system is Centos 5.6 64bit.
When I try to authenticate with ssh but failed,I am sure the shared secret is correct.

Freeradius got the following logs:

rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "? INCORRECT"
[pap] Using clear text password "1111"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject

And by the way,is it possible to create a ssh user on NAS after the first time successful authentication.

Alan DeKok

2012-05-05 11:10:57 UTC

Permalink

Post by å°ç§
I am trying to use pam_radius to authenticate SSH login.My system is Centos 5.6 64bit.
When I try to authenticate with ssh but failed,I am sure the shared secret is correct.

The shared secret is correct.

Post by å°ç§
[pap] login attempt with password "? INCORRECT"

This is an issue with PAM on the client machine. Some other module is
doing password checking. When the password check fails, it re-sets the
password to "INCORRECT". That password is then sent to the pam_radius
module.

Go fix the client so that the PAM modules don't change the password.

Alan DeKok.
-
List info/subscribe/unsubscribe?

小牧

2012-05-05 12:57:09 UTC

Permalink

Hello,Alan.

Thank you for you response.

Post by Alan DeKok
This is an issue with PAM on the client machine. Some other module is

doing password checking. When the password check fails, it re-sets the
password to "INCORRECT". That password is then sent to the pam_radius
module.
Go fix the client so that the PAM modules don't change the password.

My /etc/pam.d/sshd file contains the following settings:
-bash-3.2# cat sshd
#%PAM-1.0
auth sufficient pam_radius_auth.so debug
auth include system-auth
account sufficient pam_radius_auth.so
account required pam_nologin.so
account include system-auth
password sufficient pam_radius_auth.so
password include system-auth
session sufficient pam_radius_auth.so
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so

Martin Pauly

2012-05-11 15:07:39 UTC

Permalink

Post by Alan DeKok

Post by Alan DeKok
This is an issue with PAM on the client machine. Some other module is

I had a similar problem today. PAM considered the user illegal because
the uid in question was unknown on the machine to be accessed by ssh.
Adding the user locally was required anyway, I had forgotten that on
that particular machine, there are only local accounts.

HTH (and thanx to Alan)
Martin

--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: ***@HRZ.Uni-Marburg.DE
D-35032 Marburg
-
List info/subscribe/unsubscribe?

sam

2012-05-24 08:19:55 UTC

Permalink

Is there anyone to contribute this fix?

--
View this message in context: http://freeradius.1045715.n5.nabble.com/ssh-authentication-failed-problem-use-freeradius-pam-radius-tp5687733p5713353.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

sam

2012-05-24 14:44:45 UTC

Permalink

The pam_radius_auth module is installed on linux, and if the user-A is not
created in local and only existed in remote radius server.
In following function() in pam_radius_auth.c, the *password always is
INCORRECT
+++++++++++++code+++++++++++++
static int rad_converse(pam_handle_t *pamh, int msg_style, char *message,
char **password)
{
CONST struct pam_conv *conv;
struct pam_message resp_msg;
CONST struct pam_message *msg[1];
struct pam_response *resp = NULL;
int retval;

resp_msg.msg_style = msg_style;
resp_msg.msg = message;
msg[0] = &resp_msg;

/* grab the password */
retval = pam_get_item(pamh, PAM_CONV, (CONST void **) &conv);
PAM_FAIL_CHECK;

retval = conv->conv(1, msg, &resp,conv->appdata_ptr); < it seems the
resp is saved some useful info.
PAM_FAIL_CHECK;

if (password) { /* assume msg.type needs a response */
/* I'm not sure if this next bit is necessary on Linux */
_pam_log(LOG_ERR, "enter in");
#ifdef sun
/* NULL response, fail authentication */
if ((resp == NULL) || (resp->resp == NULL)) {
return PAM_SYSTEM_ERR;
}
#endif

*password = resp->resp; <<<< saved the retrun value to *password.
(value is INCORRECT)
free(resp);
}

return PAM_SUCCESS;
}
+++++++++++++code+++++++++++++

Not familiar with this module, can anybody give some instrutions?

--
View this message in context: http://freeradius.1045715.n5.nabble.com/ssh-authentication-failed-problem-use-freeradius-pam-radius-tp5687733p5713359.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Fajar A. Nugraha

2012-05-24 15:10:19 UTC

Permalink

Post by sam
The pam_radius_auth module is installed on linux, and if the user-A is not
created in local and only existed in remote radius server.
In following function() in pam_radius_auth.c, the *password always is
INCORRECT

That is the expected behavior. For pam to work, the user needs to
exist in whatever user db it recognize (in this case, local user).

Post by sam
Not familiar with this module, can anybody give some instrutions?

Had you read the previous messages, you'd know that if you want to
modify something, it'd be in pam, and NOT in pam_radius plugin.
Possibly by using nss_mysql and getting it to use the same data that
FR is using (with the help of views, or whatever).

But since you decide to ignore it anyway and insist on focusing your
efforts on pam_radius_auth.c, you're pretty much on your own.

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html