steve at focb.co.nz
Fri Apr 28 08:35:21 CEST 2017
I've just setup pam_radius_auth and it is working, however there seems to be a weird 20 second delay for no apparent reason between getting the password from the prompt and sending the authentication request to the RADIUS server.
The version of pam_radius_auth is 1.4.0 obtained from the CentOS 7 EPEL repository
I have entries for the RADIUS server in /etc/hosts but have tried both a hostname and an IP address in /etc/pam_radius.conf and the effect is the same.
My sshd pam entries are set as follows
-- begin snippet --
auth [success=ignore default=1] pam_succeed_if.so debug user ingroup radius
auth required pam_radius_auth.so debug conf=/etc/pam_radius.conf
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
-- end --
The logs are as follows
-- begin logs --
Apr 28 16:09:40 bastion sshd: pam_radius_auth: Got user name stevetest
Apr 28 16:09:40 bastion sshd: pam_radius_auth: ignore last_pass, force_prompt set
Apr 28 16:10:00 bastion sshd: pam_radius_auth: Sending RADIUS request code 1
Apr 28 16:10:00 bastion sshd: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7f05695fa1c0.
Apr 28 16:10:00 bastion sshd: pam_radius_auth: Got RADIUS response code 2
Apr 28 16:10:00 bastion sshd: pam_radius_auth: authentication succeeded
-- end logs --
and the server entry is (less the lines starting with a #)
# cat /etc/pam_radius.conf | egrep -v ^#
auth1 somesecret 3
172.28.208.169:1812 somesecret 3
(If I comment auth1 out the effect is identical - a 20 second delay)
The 20 seconds sounds like a timeout of some sort but I'm at a bit of a loss what this would be. Just wondering if anyone else has come across this?
OS: CentOS 7.3.1611, minimal installation, patched to whatever the latest patch cluster was as of a week ago.
Any ideas would be appreciated,
More information about the Freeradius-Users