On Jun 16, 2021, at 7:13 PM, Mark J. Bobak <mark@bobak.net> wrote:
So, my new server is running Ubuntu 20.04 and using the NetworkRadius packages to install freeradius 3.0.23. I have also installed libpam-google-authenticatior, and integrated it according to these steps: https://networkjutsu.com/freeradius-google-authenticator/
3.0.23 includes a TOTP module. Which means you can out the TOTP secrets into a database, or pretty much anywhere else you want. And you don't need to use PAM. And, that users don't need to have login accounts.
This seems to have worked fine. I was running freeradius manually, with debug (-X) enabled, and everything seemed to be working fine. sudo /usr/sbin/freeradius -X
i.e. as root.
So, I killed freeradius (CTRL-C), and tried: sudo service freeradius start It started up fine.
And runs as user "radiusd".
But, now when I try authenticating (using radtest): radtest mbobak redacted123456 localhost:1812 0 'redacted'
I get Access-Rejected Looking at the log file, /var/log/freeradius/radius.log, I see: Wed Jun 16 22:42:54 2021 : Info: Ready to process requests Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: PAM conversation failed Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: Error "Read-only file system" while writing config
That seems rather crazy, TBH. PAM shouldn't be writing *anything* during the normal course of operations.
But, even though it's reporting a read-only filesystem error, I'm thinking it could be a permission problem on some file?
Yes. User "radiusd" doesn't have permission to write the files.
But, I'm really baffled by the system working when I run freeradius manually, but only errors when I run it from the service.
User "root" has permission to write the files. You'll have to find out which file / directory is the problem, and then change the permissions. I'm sure that information is buried somewhere in the PAM documentation. It's outside of the scope of FreeRADIUS. Alan DeKok.