<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-15">
</head>
<body bgcolor="#ffffff" text="#000000">
Hello,<br>
<br>
I'm a freeradius beginner and can't get further by my problem for
days - reading a lot of stuff in dokumentation, books and forums on
the net. Using a debian system with freeradius 2.04 and
OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 on it - no NAS or other
authenticator is used.<br>
<br>
Installed freeradius - everything works fine. On my XP client I run
NTRadPING with radius secret key, user-name and passwort and get
Access-accept response (by chap, by pap - Auth-Type = System;
Cleartext-Password, Auth-Type := Local ...) <br>
<br>
Now I installed pam package: apt-get install -y libpam-radius-auth.
<br>
make configs (added things are underlined)<br>
<b><br>
/etc/pam_radius_auth.conf:</b><br>
# server[:port] shared_secret timeout (s)<br>
<u>127.0.0.1 secret 2</u><br>
<br>
<b>/etc/freeradius/clients.conf:</b><br>
...<br>
<u>client 110.110.110.0/24 {<br>
secret = secret<br>
shortname = private-net<br>
}</u><br>
...<br>
<br>
<b>/etc/pam.d/sshd</b><br>
# PAM configuration for the Secure Shell service<br>
<br>
# Read environment variables from /etc/environment and<br>
# /etc/security/pam_env.conf.<br>
auth required pam_env.so # [1]<br>
# In Debian 4.0 (etch), locale-related environment variables were
moved to<br>
# /etc/default/locale, so read that as well.<br>
auth required pam_env.so envfile=/etc/default/locale<br>
<br>
# Standard Un*x authentication.<br>
<u>auth sufficient pam_radius_auth.so</u><br>
@include common-auth<br>
<br>
# Disallow non-root logins when /etc/nologin exists.<br>
account required pam_nologin.so<br>
<br>
# Uncomment and edit /etc/security/access.conf if you need to set
complex<br>
# access limits that are hard to express in sshd_config.<br>
# account required pam_access.so<br>
<br>
# Standard Un*x authorization.<br>
@include common-account<br>
<br>
# Standard Un*x session setup and teardown.<br>
@include common-session<br>
<br>
# Print the message of the day upon successful login.<br>
session optional pam_motd.so # [1]<br>
<br>
# Print the status of the user's mailbox upon successful login.<br>
session optional pam_mail.so standard noenv # [1]<br>
<br>
# Set up user limits from /etc/security/limits.conf.<br>
session required pam_limits.so<br>
<br>
# Set up SELinux capabilities (need modified pam)<br>
# session required pam_selinux.so multiple<br>
<br>
# Standard Un*x password updating.<br>
@include common-password<br>
<br>
<br>
<b>/etc/freeradius/users</b><br>
# #<br>
# DEFAULT<br>
# Service-Type = Administrative-User<br>
<br>
# On no match, the user is denied access.<br>
<br>
<br>
<u>"test" Cleartext-Password := "123"<br>
"1user" Cleartext-Password := "1user"<br>
Fall-Through = No<br>
"John" Cleartext-Password := "123"<br>
Reply-Message = "Hello, %{User-Name}"<br>
<br>
"will" Auth-Type = Accept<br>
<br>
"lameuser" Auth-Type := Reject<br>
Reply-Message = "Your account has been disabled."<br>
<br>
"mike" Auth-Type := Local, User-Password := "mike"<br>
<br>
"33user" Auth-Type = System<br>
Reply-Message = "Hello, %{User-Name}! Dein Passwort kommt
aus shadow",<br>
Fall-Through = Yes</u>
<br>
<br>
<br>
<br>
To test secure shell session I took a system account with has no
entries in the freeradius users-file. The user can log in, but
radius-authentication failed.<br>
<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 5572,
id=176, length=89<br>
User-Name = "user"<br>
User-Password =
"j\205[\022\245\343/X\231\330R@\342\324\023="<br>
NAS-IP-Address = 10.10.10.11<br>
NAS-Identifier = "sshd"<br>
NAS-Port = 4547<br>
NAS-Port-Type = Virtual<br>
Service-Type = Authenticate-Only<br>
Calling-Station-Id = "10.10.10.200"<br>
+- entering group authorize<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
rlm_realm: No '@' in User-Name = "user", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
++[suffix] returns noop<br>
rlm_eap: No EAP-Message, not doing EAP<br>
++[eap] returns noop<br>
++[unix] returns updated<br>
++[files] returns noop<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
++[pap] returns updated<br>
rad_check_password: Found Auth-Type<br>
auth: type "PAP"<br>
+- entering group PAP<br>
rlm_pap: login attempt with password "j?[?¥ã/X?ØR@âÔ?="<br>
rlm_pap: Using CRYPT encryption.<br>
rlm_pap: <b>Passwords don't match</b><br>
++[pap] returns reject<br>
<b>auth: Failed to validate the user.</b><br>
<b>Login incorrect</b> (rlm_pap: CRYPT password check failed):
[user/j\205[\022\245\343/X\231\330R@\342\324\023=] (from client
localhost port 4547 cli 10.10.10.200)<br>
WARNING: Unprintable characters in the password.
Double-check the shared secret on the server and the NAS!<br>
Found Post-Auth-Type Reject<br>
+- entering group REJECT<br>
expand: %{User-Name} -> user<br>
attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>
Delaying reject of request 3 for 1 seconds<br>
Going to the next request<br>
Waking up in 0.9 seconds.<br>
Sending delayed reject for request 3<br>
Sending Access-Reject of id 176 to 127.0.0.1 port 5572<br>
Waking up in 4.9 seconds.<br>
<br>
<br>
<br>
<br>
<br>
An other example with a non system-account "will" and Auth-Type =
Accept passes radius authentication, but this is not what I want to
have.<br>
<br>
rad_recv: Access-Request packet from host 127.0.0.1 port 5564,
id=142, length=89<br>
User-Name = "will"<br>
User-Password =
"\354-YbQ\367\036\033\034\232\262I\260\327\322\013"<br>
NAS-IP-Address = 10.10.10.11<br>
NAS-Identifier = "sshd"<br>
NAS-Port = 4539<br>
NAS-Port-Type = Virtual<br>
Service-Type = Authenticate-Only<br>
Calling-Station-Id = "10.10.10.200"<br>
+- entering group authorize<br>
++[preprocess] returns ok<br>
++[chap] returns noop<br>
++[mschap] returns noop<br>
rlm_realm: No '@' in User-Name = "will", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
++[suffix] returns noop<br>
rlm_eap: No EAP-Message, not doing EAP<br>
++[eap] returns noop<br>
++[unix] returns notfound<br>
users: Matched entry will at line 212<br>
++[files] returns ok<br>
++[expiration] returns noop<br>
++[logintime] returns noop<br>
rlm_pap: Found existing Auth-Type, not changing it.<br>
++[pap] returns noop<br>
rad_check_password: Found Auth-Type Accept<br>
rad_check_password: Auth-Type = Accept, accepting the user<br>
Login OK: [will/\354-YbQ\367\036\033\034\232\262I\260\327\322\013]
(from client localhost port 4539 cli 10.10.10.200)<br>
+- entering group post-auth<br>
++[exec] returns noop<br>
Sending Access-Accept of id 142 to 127.0.0.1 port 5564<br>
Finished request 2.<br>
Going to the next request<br>
Waking up in 5.0 seconds.<br>
Cleaning up request 2 ID 142 with timestamp +118<br>
Ready to process requests.<br>
<br>
<br>
The shared_secret in clients.conf and pam_radius_auth.conf are the
same, and there are no spaces. perhaps it may be a problem with the
tool puTTy (for manageing ssh-sessions) - here I can't find any
location to place the shared_secret from the two files. But if I had
changed system-authentication instead of sshd, there is the same
problem with the diffrent passwords - and I'm sure they are written
right.<br>
<br>
<br>
Any suggestions? Any hinds are welcome.<br>
<br>
Greets MM<br>
</body>
</html>