Re: Help w/ pam radius

Just thought I would reply to my own thread since I figured it out and probably others can benefit from it.... yes yes yes the variations in distro's PAM implementation will kill you.... that was all it was.... so beware -- knowing your PAM system on your machines is crucial if you don't want to do a lot of head scratching.
 
#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so debug client_id=linux
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so
 
Haven't figured this error out yet...
 
Wed Dec 19 15:50:05 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE
_CERT option to allow
 
...but least I can auth SSH with RADIUS so I am a happy camper.
 
 
----- Original Message -----
Sent: Tuesday, December 18, 2007 5:49 PM
Subject: Re: Help w/ pam radius

Seems like I am getting closer possibly, but I see an error in radius.log -- could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow.
 
Basically, I go to login to my pam_radius host, user exists in local password file with no pass, user/pass in RADIUS/LDAP, and when I login the SSH session immediately exits and I see the below in radius.log. If I use a login not in the local password file, but it is in RADIUS/LDAP then I get an access denied and no mention of the below error. 
 
I am not even starting TLS so why is it even complaining about it???  I am also curious what this means -- rlm_exec: Wait=yes but no output defined. Did you mean output=none?
 
Appreciate any help. Thanks!
 
Tue Dec 18 19:32:48 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Tue Dec 18 19:32:48 2007 : Info: Ready to process requests.
Tue Dec 18 19:33:06 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
Tue Dec 18 19:33:06 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
Tue Dec 18 19:35:55 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
Tue Dec 18 19:36:03 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow
 
 
----- Original Message -----
Sent: Tuesday, December 18, 2007 2:13 PM
Subject: Help w/ pam radius

Hello:
 
I am having trouble getting pam_radius working and was wondering if someone might be of help since I followed the INSTALL instructions as well as a howto (as provided by the Wikid folks)  and I am still coming up short getting it working.
 
Here are some of my details
 
- My PAM is such it is by service (Fedora 7 -- 0.99.7.1-5.1)....sshd being what I am most interested in, the default config for it looks like the below on a host I want talking to radius. What does this need to look like in terms of the pam_radius_auth.so related stanzas to get it working? Neither the INSTALL instructions or a howto I found would work.
 
/etc/pam.d/sshd (default below)
 
#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so
 
- My Radius box runs freeradius (freeradius-1.1.7-3.1) with LDAP (fedora-ds) backending it with the user/pass info, got it working for Cisco's but have yet to get PAM working.  I just get 'Access denied' -- tried the later with a user defined on the host with no password or with a password and won't work.
 
Pretty simple, no huntgroups or anythig like that just plain and simple binding against LDAP.
 
I think what I am looking for are...
 
1- Pam configuration on the host (ie- /etc/pam.d/sshd)
2- Pam configuration requirements as far as the radius server is concerned. Be helpful to see what all I might need that I am possibly missing in conf files.
 
Thank you!
This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.