Pam_radius_Auth - Problem

Rascher, Markus markus.mr.rascher at siemens.com
Mon Jun 18 14:20:16 CEST 2007 

Hi all,

I have a problem with pam_radius_auth-module, maybe someone can help me.

The situation:

I am running freeradius 1.1.6 and installed the pam_radius_auth-Module
In the file /etc/pam.d/sshd I inserted the line

Auth required pam_radius_auth.so

like it is described in the docu of freeradius.org

And in the file /etc/raddb/server I inserted the schared secret.

If I connect to the ssh-server with an username which exists in the
ssh-servers system-db, the login-process works fine, but if I want to
login per ssh with a user, only the radius-server knows and not the
system-db of the ssh-server, the login fails with this error:

Jun 18 14:32:52 kiwi15 sshd[31606]: Invalid user testuser from
146.254.188.65
Jun 18 14:32:52 kiwi15 sshd[31607]: input_userauth_request: invalid user
testuser
Jun 18 14:32:57 kiwi15 sshd[31606]: pam_radius_auth: Got user name
testuser
Jun 18 14:32:57 kiwi15 sshd[31606]: pam_radius_auth: Sending RADIUS
request code 1

==> /var/log/secure <==
Jun 18 14:32:59 kiwi15 sshd[31606]: pam_radius_auth: Got RADIUS response
code 3
Jun 18 14:32:59 kiwi15 sshd[31606]: pam_radius_auth: authentication
failed
Jun 18 14:32:59 kiwi15 sshd[31606]: Failed password for invalid user
testuser from 146.254.188.65 port 3666 ssh2



Radius-Deamon says:

rad_recv: Access-Request packet from host 127.0.0.1:32631, id=218,
length=99
        User-Name = "testuser"
        User-Password = "\010\n\rINCORRECT"    	<-- this is very strong
:-/
        NAS-IP-Address = 127.0.0.1
        NAS-Identifier = "sshd"
        NAS-Port = 31606
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "testkiste"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 24
.
.
.
modcall: leaving group authorize (returns ok) for request 24
  rad_check_password:  Found Auth-Type PAP
auth: type "PAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 24
rlm_pap: login attempt with password ?  INCORRECT
rlm_pap: Using clear text password "testpwd".
rlm_pap: Passwords don't match
  modcall[authenticate]: module "pap" returns reject for request 24
modcall: leaving group PAP (returns reject) for request 24
auth: Failed to validate the user.
  WARNING: Unprintable characters in the password. ?  Double-check the
shared secret on the server and the NAS!
Delaying request 24 for 1 seconds
Finished request 24
Going to the next request


Shared secret is ok, I checked it twice...
I think the sshd refuses users which are not in the passwd-file and
sends this confusing password-Attribute to the pam_radius-module, but
why????


Thanks for your help

Markus

More information about the Freeradius-Users mailing list