Hi,

 

I was trying to find a PAM-Radius mailing list and it seems that this is the best one.

 

A Ubuntu 7.4 box needs to be configured such that SSH users will be authenticated against an external FreeRadius server. FreeRadius server version is 1.1.7-1build4. The Ubuntu box uses OpenSSH 4.3-p2 and /etc/ssh/sshd_config is set to “UsePAM yes”. I downloaded PAM_Radius 1.3.17.

 

Below is the procedure that I use Radius to authenticate a user in /etc/passwd (/etc/shadow doesn’t have the password for that user).

1.       FreeRadius server configures its clients.conf and user file to include a new user called “test1”.

2.       On my Ubuntu 7.4 box, add a user with command “useradd” to add a user “test1” but don’t set a password. So the user “test1” on the Ubuntu box will be inactive.

3.       Configure /etc/pam.d/ssh on the Ubuntu box to use “auth sufficient pam_radius_auth.so”

4.       Also update the /etc/raddb/server on the Ubuntu box to point to the remote Radius server IP.

5.       Try ssh test1@ubuntu box and it worked. Also monitored the Free Radius logging and it did show that the Access-Request packets went to Radius server.

 

So step 1-5 worked well for me. Note that at step 2, the user account to be authenticated is added to /etc/passwd.

 

The issue is: if step 2 is omitted, SSH login will fail. ACCESS_REQUEST packets with INCORRECT password were even sent to the Radius server. Further troubleshooting showed that PAM_Radius module got a bad password from PAM.

 

I did some research from the website and some emails dated in 2006 said that PAM_Radius can only authenticate user accounts in /etc/passwd file. Is that right?

 

Many thanks in advance,

Feng