I'm not fighting you at all. All of your answers previously were "read the documentation, it's there". well, it's not. definitely not. the pam_radius_auth link you gave me states: In the per-application configuration add: auth sufficient /lib/security/pam_radius_auth.so AFTER auth sufficient /lib/security/pam_securetty.so and BEFORE: auth required /lib/security/pam_unix_auth.so take a look at my config - /etc/pam.d/sshd #%PAM-1.0 auth requisite pam_nologin.so auth sufficient /lib/security/pam_radius_auth.so debug auth include common-auth account sufficient /lib/security/pam_radius_auth.so account include common-account password include common-password session required pam_loginuid.so session include common-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README) #session optional pam_resmgr.so fake_ttyname pam_securetty is never referenced, except in /etc/pam.d/login so should it be in sshd or login, or both? it doesn't seem to make any difference. a "Default" radiusd install with NO changes (except server file as follows: 127.0.0.1 testing123 3 users in password file can login, but it doesn't seem to be using radius. the documentation for pam is as clear as mud. did it mean to modify the login file like this: #%PAM-1.0 auth requisite pam_nologin.so auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so debug auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session session required pam_lastlog.so nowtmp session required pam_resmgr.so session optional pam_mail.so standard session optional pam_ck_connector.so because that doesnt make any difference either. same result as with just sshd above I now have a "vanilla" radiusd config (with the one change to server file above), and trying to figure out the pam config. the documentation also states: "The pam configuration can be:" ... auth sufficient /lib/security/pam_radius_auth.so [options] ... account sufficient /lib/security/pam_radius_auth.so which is the first time the account directive is mentioned. so you now have my entire config, back to basics, trying to figure out the pam stuff... logins work, but they're not using radius. and there's nothing in the logs. even with "debug" option specified. Dan.
Date: Mon, 26 Nov 2007 21:51:34 +0100 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: local ssh authentication via radius possible?
Dan Gahlinger wrote:
I don't understand most of what you said here. Hence my problem.
The problem is that you're trying to configure 4-5 separate things at the same time, without understanding how most of them work. As a result, you're frustrated, and not making progress.
Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 12:43:45 2007 : Info: Ready to process requests.
and nothing else. No other logs anywhere, not even a failed "ssh" log in messages, warn, etc.
i.e. PAM isn't using RADIUS for authentication. Fix that. Read the PAM documentation.
we need a regular user using SSH client such as SecureCRT, or Putty, etc without modification, to login via SSH to a linux server, and have the server use Radius for authentication.
These are "local" users with shell access. The radius would be local. So instead of using the local password file, we want to use Radius.
That will work, but they will need a uid/gid etc. in /etc/passwd.
Using everything in the defaults without changing the user file doesn't make sense, because that's what we want to use for authentication, only, in our case, it'd be on a central server instead of local, but I want to get local testing working first, just to make sure I understand it all.
Which is why I said to use the defaults. If you don't know what it's doing, then DON'T CHANGE ANTYTHING. The default configuration WORKS. Every change you've made has broken it.
at this point, I don't understand any of it, and yelling at me for doing the wrong things isn't helping.
No, I'm telling you that making random changes won't work. I'm telling you that making changes that aren't recommended in the documentation is not a good idea. I'm telling you that reading the documentation and following it's recommendations is a good idea.
you've seen my configuration files. I don't know how it should work, because I have no idea how it should look.
They should look like the samples. It's not hard.
I'd appreciate a little bit of help here, some hints, some sample configs, would really really help.
The sample configurations work.
However, it's clear that for whatever reason, SSH isn't using PAM, *or*, PAM isn't using the pam_radius_auth module, *or* the pam_radius_auth module isn't configured to use the correct RADIUS server.
As a result, the RADIUS server isn't receiving login requests. As a result of that, no amount of fighting with the RADIUS configuration will help. So all of the time you put into configuring "Login-Server" was wasted.
I mean, if it's even possible to do what we're trying to do.
Yes.
I will also note that I asked a number of questions in my last message, and you haven't answered any of them. Either you didn't understand them, or you don't think they're important.
Part of the reason this is so difficult for you is that you are fighting every attempt by anyone to help you. You're stuck on one particular mind-set that is preventing anyone from helping you, and preventing you from solving the problem. Until you give up that mindset, and let people help you, you won't solve the problem. You'll only get more and more frustrated.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Send a smile, make someone laugh, have some fun! Start now! http://www.freemessengeremoticons.ca/?icid=EMENCA122