OpenSSH, PAM and pam_radius_auth
Alan DeKok
aland at deployingradius.com
Tue Jan 8 15:52:59 CET 2008
Johan Rydberg wrote:
> It seems that OpenSSH first tries to authetnicate the user with an
> empty password (""), because if I set an empty password both in the
> local /etc/passwd, and on the RADIUS server, sshd is able to establish
> credentials for the user.
PAM does weird things. OpenSSH does weird things.
See bugs.freeradius.org. There a number of issues relating to the PAM
module, including patches that may help here. I recall something
related to "try_first_pass".
I haven't spent much time looking at PAM recently. All I recall from
using it a few years ago is that I spent a LOT of time fighting with it,
and had great difficulty trying to make it do anything. The complete
and total lack of debugging information helped, too.
> PAM: pam_setcred(): Authentication service cannot retrieve user credentials
That likely means that the user doesn't have a UID/GID/etc in
/etc/passwd. The PAM RADIUS module doesn't set UID or GID. I tried to
see if it was possible, and was told:
a) No, it wasn't possible
b) Yes, it was possible, and it was documented
c) Yes, it was possible, but only the PAM authors knew how to make it work
Getting conflicting answers from the same set of people made me
unsubscribe from the PAM list. :(
Alan DeKok.
More information about the Freeradius-Users
mailing list