SSH-Login libpam-radius-auth

Marius.Meisner marius.meisner at googlemail.com
Fri Jan 28 02:04:32 CET 2011 

Hi,

I have a problem with passwor-matching. Everything seams to be all
right, but radius still won't accept shared_secret.

I use radius with mysql-database for ssh authenticate. If I try to
authenticate with radtest on server (10.10.10.11) - it works fine. If I
try to authenticate vom client with IP 10.10.10.200 it works as well.

If I try to authenticate from ssh I receive this message:

rad_recv: Access-Request packet from host 127.0.0.1 port 3666, id=208,
length=88
        User-Name = "lisa"
        User-Password = "\010\n\r\177INCORRECT"
        NAS-IP-Address = 10.10.10.11
        NAS-Identifier = "sshd"
        NAS-Port = 2641
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "10.10.10.200"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "lisa", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
        expand: %{User-Name} -> lisa
rlm_sql (sql): sql_set_user escaped user --> 'lisa'
rlm_sql (sql): Reserving sql socket id: 4
        expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER
BY id -> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = 'lisa'           ORDER BY id
rlm_sql (sql): User found in radcheck table
        expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER
BY id -> SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = 'lisa'           ORDER BY id
        expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority ->
SELECT groupname           FROM radusergroup           WHERE username =
'lisa'           ORDER BY priority
        expand: SELECT id, groupname, attribute,           Value, op
       FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'
       ORDER BY id -> SELECT id, groupname, attribute,           Value,
op           FROM radgroupcheck           WHERE groupname = 'dynamic'
        ORDER BY id
rlm_sql (sql): User found in group dynamic
        expand: SELECT id, groupname, attribute,           value, op
       FROM radgroupreply           WHERE groupname = '%{Sql-Group}'
       ORDER BY id -> SELECT id, groupname, attribute,           value,
op           FROM radgroupreply           WHERE groupname = 'dynamic'
        ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
  rad_check_password:  Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "? INCORRECT"
rlm_pap: Using clear text password "lisa123"
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed):
[lisa/\010\n\r\177INCORRECT] (from client localhost port 2641 cli
10.10.10.200)
  WARNING: Unprintable characters in the password.        Double-check
the shared secret on the server and the NAS!
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} -> lisa
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 1.0 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 208 to 127.0.0.1 port 3666
Waking up in 4.9 seconds.


clients.conf:
=============

client 127.0.0.1 {
        secret = Test
        shortname = localhost
        nastype     = other     # localhost isn't usually a NAS...
}

client 10.10.10.0/24 {
        secret          = Test
        shortname       = local-net
}


pam_radius_auth.conf:
=====================
127.0.0.1 Test 3
10.10.10.11 Test 3

pam.d/common-auth:
==================
# Radius auth
# For these next three lines to grant auth, you must have a local user name
# This must be the same as your RADIUS name
# Remove the "debug" argument on the next line after everything works
auth    sufficient      pam_radius_auth.so debug
account required        pam_radius_auth.so
session required        pam_radius_auth.so

# Generic unix auth services below
auth    required        pam_unix.so nullok_secure


users:
======
"susi" Cleartext-Password := "123"


If I add the user susi out of users with adduser susi and the user lisa
from database adduser lisa, then NTRadPING receives Reject. If password
is set in passwd - authentication works. But the password shouldn't read
out of passwd...

Any suggestions, where my fault or what to do?

Cheers
MM

More information about the Freeradius-Users mailing list