What I am trying to setup is as follows 1. Oracle Backend for Authenticating SFTP Clients( openssh ) What I have done so far Setup a second ssh for the SFTP only Updated the sshd_config for using PAM. Request comes to AAA and fails as shown in the logs below. Also note teh password shows as *"\010\n\r\177INCORRECT"* The sites-enabled default looks like the following " authorize { sql expiration logintime } authenticate { # I have tried just pam as you have suggested and it still says No-Auth Auth-Type PAM { pam } } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp exec attr_filter.accounting_response } session { radutmp } post-auth { sql } pre-proxy { } post-proxy { } " As requested I am attaching the radiusd -X log rad_recv: Access-Request packet from host Y.Y.Y.Y port 6975, id=15, length=114 User-Name = "test" *User-Password = "\010\n\r\177INCORRECT"* NAS-IP-Address = Y.Y.Y.Y NAS-Identifier = "openssh" NAS-Port = 5950 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "somebody" # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} [sql] expand: %{User-Name} -> test [sql] sql_set_user escaped user -->test rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM radusergroup WHERE UserName='test' [sql] expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,radusergroup WHERE radusergroup.Username = '%{SQL-User-Name}' AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,radusergroup WHERE radusergroup.Username = 'test' AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id [sql] User found in group SFTP_Client [sql] expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,radusergroup WHERE radusergroup.Username = '%{SQL-User-Name}' AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,radusergroup WHERE radusergroup.Username = 'test' AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 15 to 199.106.120.244 port 6975 Password == "test" Waking up in 4.9 seconds. Cleaning up request 0 ID 15 with timestamp +10 Ready to process requests. On Thu, Feb 17, 2011 at 5:42 PM, Marc Phillips <rmarc@copacetic.net> wrote:
Sending Access-Request of id 58 to X.X.X.X port Y User-Name = "test" User-Password = "test" NAS-IP-Address = X.X.X.X NAS-Port = Y Framed-Protocol = PPP rad_recv: Access-Accept packet from host X.X.X.X port Y, id=58, length=38 The freeradius is setup with an oracle db backend.
I had something similar with PAM. What I did is have a user entry like:
DEFAULT Ldap-Group == "mygroup", Auth-Type = pam Reply-Message = "Hello (admin), %{User-Name}", Fall-Through = No
and in my sites-enabled default:
authorize { preprocess auth_log files ldap }
authenticate { pam }
You'll obviously have some sort of sql auth-type and probably won't need the LDAP stuff.
Hope this helps.
R. Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html