What I am trying to setup is as follows<br>1. Oracle Backend for Authenticating SFTP Clients( openssh )<br><br>What I have done so far<br>Setup a second ssh for the SFTP only<br>Updated the sshd_config for using PAM.<br>Request comes to AAA and fails as shown in the logs below.<br>
Also note teh password shows as <b style="color: rgb(255, 0, 0);">"\010\n\r\177INCORRECT"</b><br>The sites-enabled default looks like the following<br>"<br>authorize {<br> sql<br> expiration<br>
logintime<br>}<br>authenticate {<br><br> # I have tried just pam as you have suggested and it still says No-Auth<br> Auth-Type PAM {<br> pam<br> }<br>}<br>preacct {<br> preprocess<br>
acct_unique<br> suffix<br> files<br>}<br>accounting {<br> detail<br> unix<br> radutmp<br> exec<br> attr_filter.accounting_response<br>}<br>session {<br> radutmp<br>
}<br>post-auth {<br> sql<br>}<br>pre-proxy {<br>}<br>post-proxy {<br>}<br>"<br>As requested I am attaching the radiusd -X log<br>rad_recv: Access-Request packet from host Y.Y.Y.Y port 6975, id=15, length=114<br>
User-Name = "test"<br> <span style="color: rgb(255, 0, 0);"> </span><b style="color: rgb(255, 0, 0);">User-Password = "\010\n\r\177INCORRECT"</b><br> NAS-IP-Address = Y.Y.Y.Y<br> NAS-Identifier = "openssh"<br>
NAS-Port = 5950<br> NAS-Port-Type = Virtual<br> Service-Type = Authenticate-Only<br> Calling-Station-Id = "somebody"<br># Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<br>
+- entering group authorize {...}<br>[sql] expand: %{User-Name} -> test<br>[sql] sql_set_user escaped user -->test<br>rlm_sql (sql): Reserving sql socket id: 4<br>[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id<br>
WARNING: Found User-Password == "...".<br>WARNING: Are you sure you don't mean Cleartext-Password?<br>WARNING: See "man rlm_pap" for more information.<br>[sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM radusergroup WHERE UserName='test'<br>
[sql] expand: SELECT <a href="http://radgroupcheck.id">radgroupcheck.id</a>,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,radusergroup WHERE radusergroup.Username = '%{SQL-User-Name}' AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY <a href="http://radgroupcheck.id">radgroupcheck.id</a> -> SELECT <a href="http://radgroupcheck.id">radgroupcheck.id</a>,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,radusergroup WHERE radusergroup.Username = 'test' AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY <a href="http://radgroupcheck.id">radgroupcheck.id</a><br>
[sql] User found in group SFTP_Client<br>[sql] expand: SELECT <a href="http://radgroupreply.id">radgroupreply.id</a>,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,radusergroup WHERE radusergroup.Username = '%{SQL-User-Name}' AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY <a href="http://radgroupreply.id">radgroupreply.id</a> -> SELECT <a href="http://radgroupreply.id">radgroupreply.id</a>,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,radusergroup WHERE radusergroup.Username = 'test' AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY <a href="http://radgroupreply.id">radgroupreply.id</a><br>
rlm_sql (sql): Released sql socket id: 4<br>++[sql] returns ok<br>++[expiration] returns noop<br>++[logintime] returns noop<br>ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user<br>Failed to authenticate the user.<br>
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!<br>Delaying reject of request 0 for 1 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>
Sending delayed reject for request 0<br>Sending Access-Reject of id 15 to 199.106.120.244 port 6975<br> Password == "test"<br>Waking up in 4.9 seconds.<br>Cleaning up request 0 ID 15 with timestamp +10<br>
Ready to process requests.<br><br><br><div class="gmail_quote">On Thu, Feb 17, 2011 at 5:42 PM, Marc Phillips <span dir="ltr"><<a href="mailto:rmarc@copacetic.net">rmarc@copacetic.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div class="im">> Sending Access-Request of id 58 to X.X.X.X port Y<br>
> User-Name = "test"<br>
> User-Password = "test"<br>
> NAS-IP-Address = X.X.X.X<br>
> NAS-Port = Y<br>
> Framed-Protocol = PPP<br>
> rad_recv: Access-Accept packet from host X.X.X.X port Y, id=58, length=38<br>
> The freeradius is setup with an oracle db backend.<br>
<br>
</div>I had something similar with PAM. What I did is have a user entry like:<br>
<br>
DEFAULT Ldap-Group == "mygroup", Auth-Type = pam<br>
Reply-Message = "Hello (admin), %{User-Name}",<br>
Fall-Through = No<br>
<br>
and in my sites-enabled default:<br>
<br>
authorize {<br>
preprocess<br>
auth_log<br>
files<br>
ldap<br>
}<br>
<br>
authenticate {<br>
pam<br>
}<br>
<br>
You'll obviously have some sort of sql auth-type and probably won't<br>
need the LDAP stuff.<br>
<br>
Hope this helps.<br>
<br>
R. Marc<br>
-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</blockquote></div><br>