<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
The SSH documentation doesnt say anything about using radius or configuring the Radius users file.<br>why would it? that makes no sense.<br><br>The pam_radius_auth documentation, while useful, makes no mention of the radius users file.<br><br>I have not been "careful" to hide or keep anything. I just didn't think the log output was useful<br>but, since I'm new to this, here you go (from the most recent attempt):<br><br>Mon Nov 26 11:15:30 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none?<br>Mon Nov 26 11:15:30 2007 : Error: /etc/raddb/users[143]: Parse error (reply) for entry testing: Expected end of line or comma<br>Mon Nov 26 11:15:30 2007 : Error: Errors reading /etc/raddb/users<br>Mon Nov 26 11:15:30 2007 : Error: radiusd.conf[1067]: files: Module instantiation failed. <br>Mon Nov 26 11:15:30 2007 : Error: radiusd.conf[1852] Unknown module "files".<br>Mon Nov 26 11:15:30 2007 : Error: radiusd.conf[1788] Failed to parse authorize section. <br><br>and here it is from the previous attempt at using "ssh" as a login-service:<br>Mon Nov 26 11:14:54 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none?<br>Mon Nov 26 11:14:54 2007 : Error: /etc/raddb/users[143]: Parse error (reply) for entry testing: Unknown value ssh for attribute Logi<br>n-Service<br>Mon Nov 26 11:14:54 2007 : Error: Errors reading /etc/raddb/users<br>Mon Nov 26 11:14:54 2007 : Error: radiusd.conf[1067]: files: Module instantiation failed. <br>Mon Nov 26 11:14:54 2007 : Error: radiusd.conf[1852] Unknown module "files".<br>Mon Nov 26 11:14:54 2007 : Error: radiusd.conf[1788] Failed to parse authorize section. <br><br>BTW that is the REAL name of my server, it just happens to be in a test environment. I wanted to keep things simple.<br><br>I will check the dictionary and see how "tcp clear" should be entered.<br>However, your email suggests that this is not the correct avenue to pursue, and as such, I'm lost, again.<br><br>I'm using the base install, and changed only the users file for the radius server config<br>the pam config seemed fairly straight-forward, just add the auth/account lines.<br><br>everything else is straight out of the box, I even used the sample secrets to keep it simple.<br>I want as few variables as possible while testing this.<br><br>here's my pam sshd config anyhow:<br><br>#%PAM-1.0<br>auth requisite pam_nologin.so<br>auth sufficient /lib/security/pam_radius_auth.so debug<br>auth include common-auth<br>account sufficient /lib/security/pam_radius_auth.so<br>account include common-account<br>password sufficient /lib/security/pam_radius_auth.so<br>password include common-password<br>session required pam_loginuid.so<br>session include common-session<br># Enable the following line to get resmgr support for<br># ssh sessions (see /usr/share/doc/packages/resmgr/README)<br>#session optional pam_resmgr.so fake_ttyname<br><br>nothing too exciting<br><br>> Date: Mon, 26 Nov 2007 18:17:33 +0100<br>> From: aland@deployingradius.com<br>> To: freeradius-users@lists.freeradius.org<br>> Subject: Re: local ssh authentication via radius possible?<br>> <br>> Dan Gahlinger wrote:<br>> > it doesn't like my config, even with "TCP Clear"-<br>> > <br>> > testing Cleartext-Password := "callme"<br>> > Service-Type = Login-User,<br>> > Login-Service = TCP Clear,<br>> > Login-IP-Host = testing.mydomain.com<br>> <br>> You have to use the names from the dictionaries. "TCP clear" is two<br>> words, and is not a name from the dictionaries.<br>> <br>> In any case, the PAM RADIUS module doesn't need "TCP Clear". If<br>> you're using something else to do RADIUS authentication, see it's<br>> documentation for what it needs.<br>> <br>> > this is frustrating.<br>> > and i'm not even sure this is correct for SSH?<br>> <br>> Perhaps the SSH documentation says something?<br>> <br>> You've been very careful to not show the output of debugging mode,<br>> either on the server or on the client (if it has one). You've also been<br>> careful to hide which RADIUS client you're using.<br>> <br>> This makes it difficult to help you. You're saying "Hi, I'm using<br>> stuff to login, but it doesn't work. Help me!" Those kind of questions<br>> are content-free, and actively prevent anyone from helping you.<br>> <br>> Alan DeKok.<br>> -<br>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br><br /><hr />Have fun while connecting on Messenger! <a href='http://entertainment.sympatico.msn.ca/WindowsLiveMessenger' target='_new'>Click here to learn more.</a></body>
</html>