Auth-Type = System not working

Maillists <maillists@cois.on.ca> · Wed, 31 May 2006 18:29:41 -0400

Hi,

	I've read the freeradius-users achives and found that other people have 

problems when using Freeradius on an OS which uses a shadow password 

file.  I too have encountered such problems and have found why this 

problem occurs but require assistance to fix.  Here's a recap of the 

problem:

Auth-Type = Local works fine but Auth-Type = System does not.

OS: FreeBSD 6.0 running Freeradius-1.1.1 installed from ports collection

users file contents:
DEFAULT Auth-Type = System
        Reply-Message = "System password works"

Running radiusd -X produces (see below for greater detail)
rlm_unix: [test]: invalid password

but I know 100% that the password is correct.  What appears to be 

happening (determined from hours of frustrating testing) is Freeradius 

(rlm_unix) is looking for the users passwords in the /etc/passwd file 

but my /etc/passwd file doesn't contain any passwords:

test:*:1003:1003:Test User:/home/test:/bin/sh

my /etc/master.passwd file does:

test:$1$RlHYm4Ca$QhlYcYV7BqIjTF.UQ4pTX/:1003:1003::0:0:Test 

User:/home/test:/bin/sh

if I copy the encrypted password from /etc/master.passwd and replace the 

"*" in /etc/passwd I can successfully authenticate via Auth-Type = System

Login OK: [test] (from client localhost port 0) (more detail below)

*******

So my question is what do I need to do so I don't have to manually 

replace the "*" in /etc/passwd with the encrypted password from 

/etc/master.passwd for every user I enter in the system?

*******
TIA,
Shane

Output of radiusd -X when /etc/passwd contains "*" for password
rad_recv: Access-Request packet from host 127.0.0.1:52869, id=153, length=53
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 127.0.0.1
        NAS-Port-Id = "0"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 688
  modcall[authorize]: module "preprocess" returns ok for request 688
radius_xlat:  '/var/log/radacct/127.0.0.1/auth-detail-20060531'

rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 

expands to /var/log/radacct/127.0.0.1/auth-detail-20060531

  modcall[authorize]: module "auth_log" returns ok for request 688
  modcall[authorize]: module "chap" returns noop for request 688
  modcall[authorize]: module "mschap" returns noop for request 688
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 688
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 688
    users: Matched entry DEFAULT at line 13
  modcall[authorize]: module "files" returns ok for request 688
modcall: leaving group authorize (returns ok) for request 688
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 688
rlm_unix: [test]: invalid password
  modcall[authenticate]: module "unix" returns reject for request 688
modcall: leaving group authenticate (returns reject) for request 688
auth: Failed to validate the user.
Login incorrect: [test/test] (from client localhost port 0)
Delaying request 688 for 1 seconds
Finished request 688
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 153 to 127.0.0.1 port 52869
        Reply-Message = "System password works"
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 688 ID 153 with timestamp 447e1534
Nothing to do.  Sleeping until we see a request.

Output of radiusd -X when /etc/passwd contains encrypted password 

instead of "*"

rad_recv: Access-Request packet from host 127.0.0.1:55703, id=181, length=53
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 127.0.0.1
        NAS-Port-Id = "0"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:  '/var/log/radacct/127.0.0.1/auth-detail-20060531'

rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 

expands to /var/log/radacct/127.0.0.1/auth-detail-20060531

  modcall[authorize]: module "auth_log" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
    users: Matched entry DEFAULT at line 13
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type System
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  modcall[authenticate]: module "unix" returns ok for request 0
modcall: leaving group authenticate (returns ok) for request 0
radius_xlat:  'System password works'
Login OK: [test] (from client localhost port 0)
Sending Access-Accept of id 181 to 127.0.0.1 port 55703
        Reply-Message = "System password works"
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 181 with timestamp 447e1744
Nothing to do.  Sleeping until we see a request.