pam_radius authentication problem - no password?

Enno groeper at informatik.hu-berlin.de
Wed Apr 16 09:42:43 CEST 2008 

Hi,
I have problems using pam_radius to authenticate users using our
freeradius server.
I want to use it with openvpn but tested it with ssh.

The new part of my /etc/pam.d/ssh looks like:
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]

auth       sufficient   /lib/security/pam_radius_auth.so debug
try_first_pass

To nail the problem down I added some debug info to pam_radius_auth.c:
/* grab the password (if any) from the previous authentication layer */
  retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password);
  DPRINT(LOG_DEBUG, "Get password retval: %d, %d", retval, PAM_SUCCESS);
  PAM_FAIL_CHECK;

    DPRINT(LOG_DEBUG, "X Got password %s", password);

  if(password) {
    password = strdup(password);
    DPRINT(LOG_DEBUG, "Got password %s", password);
  }

My auth.log file then says:
Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Got user
name enno
Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Get password
retval: 0, 0
Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: X Got
password (null)
Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Sending
RADIUS request code 1
Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth: RADIUS
server <our_radius_server> failed to respond
Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth: All RADIUS
servers failed to respond.
Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth:
authentication failed

There seem to be problems connecting to the radius server sometimes, but
I think this isn't the problem here. When the connection works, I get
radius response code 3 (afair).

I'm testing this on the target machine (openvpn server) using "ssh -l
enno 127.0.0.1" and some random password (first I tried with the correct
password and then started debugging).
Looking at the code of pam_radius_auth.c and at the output of auth.log I
would say the call to pam seems to not return the AUTHTOK. The call
succedes, but the password pointer is NULL.

Any ideas?

Thanks in advance
Enno Gröper
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080416/13d37763/attachment.pgp>

More information about the Freeradius-Users mailing list