local ssh authentication via radius possible?

Dan Gahlinger dgahling at hotmail.com
Mon Nov 26 22:30:02 CET 2007


I'm not fighting you at all.

All of your answers previously were "read the documentation, it's there".
well, it's not. definitely not.

the pam_radius_auth link you gave me states:
In the per-application configuration add:
auth    sufficient /lib/security/pam_radius_auth.so
AFTER
auth    sufficient /lib/security/pam_securetty.so
and BEFORE:
auth    required /lib/security/pam_unix_auth.so

take a look at my config - /etc/pam.d/sshd

#%PAM-1.0
auth     requisite      pam_nologin.so
auth     sufficient     /lib/security/pam_radius_auth.so debug
auth     include        common-auth
account  sufficient     /lib/security/pam_radius_auth.so
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README)
#session  optional      pam_resmgr.so fake_ttyname

pam_securetty is never referenced, except in /etc/pam.d/login
so should it be in sshd or login, or both?

it doesn't seem to make any difference.

a "Default" radiusd install with NO changes (except server file as follows:
127.0.0.1       testing123             3

users in password file can login, but it doesn't seem to be using radius.

the documentation for pam is as clear as mud. did it mean to modify the login file like this:

#%PAM-1.0
auth     requisite      pam_nologin.so
auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad]        pam_securetty.so
auth     sufficient     /lib/security/pam_radius_auth.so debug
auth     include        common-auth
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
session  required       pam_lastlog.so  nowtmp 
session  required       pam_resmgr.so
session  optional       pam_mail.so standard
session  optional       pam_ck_connector.so

because that doesnt make any difference either. same result as with just sshd above

I now have a "vanilla" radiusd config (with the one change to server file above), and trying to figure out the pam config.
the documentation also states:
"The pam configuration can be:"
...
auth    sufficient    /lib/security/pam_radius_auth.so [options]
...
account    sufficient    /lib/security/pam_radius_auth.so

which is the first time the account directive is mentioned.

so you now have my entire config, back to basics, trying to figure out the pam stuff...
logins work, but they're not using radius. and there's nothing in the logs. even with "debug" option specified.
Dan.

> Date: Mon, 26 Nov 2007 21:51:34 +0100
> From: aland at deployingradius.com
> To: freeradius-users at lists.freeradius.org
> Subject: Re: local ssh authentication via radius possible?
> 
> Dan Gahlinger wrote:
> > I don't understand most of what you said here. Hence my problem.
> 
>   The problem is that you're trying to configure 4-5 separate things at
> the same time, without understanding how most of them work.  As a
> result, you're frustrated, and not making progress.
> 
> > Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output
> > defined. Did you mean output=none?
> > Mon Nov 26 12:43:45 2007 : Info: Ready to process requests.
> > 
> > and nothing else. No other logs anywhere, not even a failed "ssh" log in
> > messages, warn, etc.
> 
>   i.e. PAM isn't using RADIUS for authentication.  Fix that.  Read the
> PAM documentation.
> 
> > we need a regular user using SSH client such as SecureCRT, or Putty, etc
> > without modification, to login
> > via SSH to a linux server, and have the server use Radius for
> > authentication.
> > 
> > These are "local" users with shell access. The radius would be local.
> > So instead of using the local password file, we want to use Radius.
> 
>   That will work, but they will need a uid/gid etc. in /etc/passwd.
> 
> > Using everything in the defaults without changing the user file doesn't
> > make sense, because that's what we want to use for authentication,
> > only, in our case, it'd be on a central server instead of local, but I
> > want to get local testing working first, just to make sure I understand
> > it all.
> 
>   Which is why I said to use the defaults.  If you don't know what it's
> doing, then DON'T CHANGE ANTYTHING.  The default configuration WORKS.
> Every change you've made has broken it.
> 
> > at this point, I don't understand any of it, and yelling at me for doing
> > the wrong things isn't helping.
> 
>   No, I'm telling you that making random changes won't work.  I'm
> telling you that making changes that aren't recommended in the
> documentation is not a good idea.  I'm telling you that reading the
> documentation and following it's recommendations is a good idea.
> 
> > you've seen my configuration files. I don't know how it should work,
> > because I have no idea how it should look.
> 
>   They should look like the samples.  It's not hard.
> 
> > I'd appreciate a little bit of help here, some hints, some sample
> > configs, would really really help.
> 
>   The sample configurations work.
> 
>   However, it's clear that for whatever reason, SSH isn't using PAM,
> *or*, PAM isn't using the pam_radius_auth module, *or* the
> pam_radius_auth module isn't configured to use the correct RADIUS server.
> 
>   As a result, the RADIUS server isn't receiving login requests.  As a
> result of that, no amount of fighting with the RADIUS configuration will
> help.  So all of the time you put into configuring "Login-Server" was
> wasted.
> 
> > I mean, if it's even possible to do what we're trying to do.
> 
>   Yes.
> 
>   I will also note that I asked a number of questions in my last
> message, and you haven't answered any of them.  Either you didn't
> understand them, or you don't think they're important.
> 
>   Part of the reason this is so difficult for you is that you are
> fighting every attempt by anyone to help you.  You're stuck on one
> particular mind-set that is preventing anyone from helping you, and
> preventing you from solving the problem.  Until you give up that
> mindset, and let people help you, you won't solve the problem.  You'll
> only get more and more frustrated.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

_________________________________________________________________
Send a smile, make someone laugh, have some fun! Start now!
http://www.freemessengeremoticons.ca/?icid=EMENCA122
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071126/6ec26af0/attachment.html>


More information about the Freeradius-Users mailing list