No subject

Alan Buxey alan.buxey at gmail.com
Tue Jun 26 00:04:42 CEST 2018 

when you are doing the SSH, what does FreeRADIUS debug show?  you appear to
be using a totally different port number in your pam config 1831 ???

alan

On 25 June 2018 at 05:56, Hailun Tan <dearambermini at gmail.com> wrote:

> I am trying to perform the user authentication via freeradius server on the
> ssh conection.
>
> I have setup the free radius server according to the wiki pages:
>
> https://wiki.freeradius.org/guide/Getting-Started
>
>
> In addition, I managed to install the dolaradius to manage the free
> radius.  I have run the radtest  for the servers.
>
> The configurations for the radius server is:
> free radius server IP: 10.10.150.134
> free radius server port: 1812
> master secret: NOJA
> user name: micfox
> user password: micfox001
>
>
> On the client machine (client IP: 10.10.150.136), I run the following
> command:
>
> *dev-ldap-server: radtest micfox micfox001 10.10.150.134:1812
> <http://10.10.150.134:1812> 1812 NOJA*
> Sending Access-Request of id 5 to 10.10.150.134 port 1812
>     User-Name = "micfox"
>     User-Password = "micfox001"
>     NAS-IP-Address = 10.10.150.136
>     NAS-Port = 1812
>     Message-Authenticator = 0x00000000000000000000000000000000
> rad_recv: Access-Accept packet from host 10.10.150.134 port 1812, id=5,
> length=38
>     Service-Type = Framed-User
>     Framed-Protocol = PPP
>     Framed-Compression = Van-Jacobson-TCP-IP
>
> So it should prove the free radius server is up and running.
>
>
> However, I have configured to use the pam-freeradius-auth.so  to hookup
> with the PAM modules on the client machine to authenticate the ssh user. it
> does not work. I have updated the /etc/pam.d/sshd as follows:
> ===========
>
>
> *auth sufficient pam_radius_auth.so debug skip_passwd*# PAM configuration
> for the Secure Shell service
>
> # Standard Un*x authentication.
> @include common-auth
>
> # Disallow non-root logins when /etc/nologin exists.
> account    required     pam_nologin.so
>
> # Uncomment and edit /etc/security/access.conf if you need to set complex
> # access limits that are hard to express in sshd_config.
> # account  required     pam_access.so
>
> # Standard Un*x authorization.
> @include common-account
>
> # SELinux needs to be the first session rule.  This ensures that any
> # lingering context has been cleared.  Without this it is possible that a
> # module could execute code in the wrong domain.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so close
>
> # Set the loginuid process attribute.
> session    required     pam_loginuid.so
>
> # Create a new session keyring.
> session    optional     pam_keyinit.so force revoke
>
> # Standard Un*x session setup and teardown.
> @include common-session
>
> # Print the message of the day upon successful login.
> # This includes a dynamically generated part from /run/motd.dynamic
> # and a static (admin-editable) part from /etc/motd.
> session    optional     pam_motd.so  motd=/run/motd.dynamic
> session    optional     pam_motd.so noupdate
>
> # Print the status of the user's mailbox upon successful login.
> session    optional     pam_mail.so standard noenv # [1]
>
> # Set up user limits from /etc/security/limits.conf.
> session    required     pam_limits.so
>
> # Read environment variables from /etc/environment and
> # /etc/security/pam_env.conf.
> session    required     pam_env.so # [1]
> # In Debian 4.0 (etch), locale-related environment variables were moved to
> # /etc/default/locale, so read that as well.
> session    required     pam_env.so user_readenv=1
> envfile=/etc/default/locale
>
> # SELinux needs to intervene at login time to ensure that the process
> starts
> # in the proper default security context.  Only sessions which are intended
> # to run in the user's context should be run after this.
> session [success=ok ignore=ignore module_unknown=ignore default=bad]
> pam_selinux.so open
>
> # Standard Un*x password updating.
> @include common-password
>
>
> But now when I run the ssh micfox at 10.10.150.136 (freeradius client's iP).
> the /var/log/auth.log  has the following error messages:
>
>
> Jun 25 12:05:51 dev-ldap-server sshd[6441]: pam_radius_auth: Got user name
> micfox
> Jun 25 12:05:51 dev-ldap-server sshd[6441]: pam_radius_auth: ignore
> last_pass, force_prompt set
> Jun 25 12:05:51 dev-ldap-server sshd[6441]: pam_radius_auth: Sending RADIUS
> request code 1
> Jun 25 12:05:51 dev-ldap-server sshd[6441]: pam_radius_auth: DEBUG:
> get_ipaddr(10.10.150.134) is available. (1812)
> Jun 25 12:05:51 dev-ldap-server sshd[6441]: pam_radius_auth: DEBUG:
> talk_radius(0x86960a0a) is available (1812,port).
> Jun 25 12:05:51 dev-ldap-server sshd[6441]: pam_radius_auth: DEBUG:
> waiting for response from radius server 10.10.150.134 with port 1812
> (master secret: NOJA).
> *Jun 25 12:05:54 dev-ldap-server sshd[6441]: pam_radius_auth: RADIUS server
> 10.10.150.134 failed to respond*
> Jun 25 12:05:54 dev-ldap-server sshd[6441]: pam_radius_auth: All RADIUS
> servers failed to respond.
> Jun 25 12:05:54 dev-ldap-server sshd[6441]: pam_radius_auth: authentication
> failed
> Jun 25 12:05:54 dev-ldap-server sshd[6438]: Postponed keyboard-interactive
> for invalid user micfox from 127.0.0.1 port 37362 ssh2 [preauth]
>
>
>
> The RADIUS server always failed to respond..
>
> I have configured the /etc/pam_radius_auth.conf as follows:
>
>
>
> #  pam_radius_auth configuration file.  Copy to: /etc/raddb/server
> #
> #  For proper security, this file SHOULD have permissions 0600,
> #  that is readable by root, and NO ONE else.  If anyone other than
> #  root can read this file, then they can spoof responses from the server!
> #
> #  There are 3 fields per line in this file.  There may be multiple
> #  lines.  Blank lines or lines beginning with '#' are treated as
> #  comments, and are ignored.  The fields are:
> #
> #  server[:port] secret [timeout]
> #
> #  the port name or number is optional.  The default port name is
> #  "radius", and is looked up from /etc/services The timeout field is
> #  optional.  The default timeout is 3 seconds.
> #
> #  If multiple RADIUS server lines exist, they are tried in order.  The
> #  first server to return success or failure causes the module to return
> #  success or failure.  Only if a server fails to response is it skipped,
> #  and the next server in turn is used.
> #
> #  The timeout field controls how many seconds the module waits before
> #  deciding that the server has failed to respond.
> #
> # server[:port]    shared_secret      timeout (s)
> *10.10.150.134:1831 <http://10.10.150.134:1831>    NOJA            3*
> #other-server    other-secret       3
>
> #
> # having localhost in your radius configuration is a Good Thing.
> #
> # See the INSTALL file for pam.conf hints.
>
>
> I believed I should have setup everything correctly?? why is the
> radius-pam-auth.so not working with the error message,
>
> * RADIUS server 10.10.150.134 failed to respond??*
> I have prolonged the timeout parameter from 3 seconds to 60 seconds but it
> did not work.
>
> If the  radius server is not correctly set, it should not even pass the
> radtest before. But why there is no response from the radius server for
> freeradius-pam-auth.so if the server does work?? what could go wrong from
> the configurations on the pam-radius module?
>
> Please advise
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

More information about the Freeradius-Users mailing list