What I am trying to setup is as follows
1. Oracle Backend for Authenticating SFTP Clients( openssh )

What I have done so far
Setup a  second ssh for the SFTP only
Updated the sshd_config for using PAM.
Request comes to AAA and fails as shown in the logs below.
Also note teh password shows as "\010\n\r\177INCORRECT"
The sites-enabled default looks like the following
"
authorize {
       sql
       expiration
       logintime
}
authenticate {

       # I have tried just pam as you have suggested and it still says No-Auth
        Auth-Type PAM {
                pam
        }
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        unix
        radutmp
        exec
        attr_filter.accounting_response
}
session {
        radutmp
}
post-auth {
        sql
}
pre-proxy {
}
post-proxy {
}
"
As requested I am attaching the radiusd -X log
rad_recv: Access-Request packet from host Y.Y.Y.Y port 6975, id=15, length=114
        User-Name = "test"
        User-Password = "\010\n\r\177INCORRECT"
        NAS-IP-Address = Y.Y.Y.Y
        NAS-Identifier = "openssh"
        NAS-Port = 5950
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "somebody"
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
[sql]   expand: %{User-Name} -> test
[sql] sql_set_user escaped user -->test
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql]   expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM radusergroup WHERE UserName='test'
[sql]   expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,radusergroup WHERE radusergroup.Username = '%{SQL-User-Name}' AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,radusergroup WHERE radusergroup.Username = 'test' AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
[sql] User found in group SFTP_Client
[sql]   expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,radusergroup WHERE radusergroup.Username = '%{SQL-User-Name}' AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,radusergroup WHERE radusergroup.Username = 'test' AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
  WARNING: Unprintable characters in the password.        Double-check the shared secret on the server and the NAS!
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 15 to 199.106.120.244 port 6975
        Password == "test"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 15 with timestamp +10
Ready to process requests.


On Thu, Feb 17, 2011 at 5:42 PM, Marc Phillips <rmarc@copacetic.net> wrote:
> Sending Access-Request of id 58 to X.X.X.X port Y
>         User-Name = "test"
>         User-Password = "test"
>         NAS-IP-Address = X.X.X.X
>         NAS-Port = Y
>         Framed-Protocol = PPP
> rad_recv: Access-Accept packet from host X.X.X.X port Y, id=58, length=38
> The freeradius is setup with an oracle db backend.

I had something similar with PAM.  What I did is have a user entry like:

DEFAULT Ldap-Group == "mygroup", Auth-Type = pam
       Reply-Message = "Hello (admin), %{User-Name}",
       Fall-Through = No

and in my sites-enabled default:

authorize {
       preprocess
       auth_log
       files
       ldap
}

authenticate {
       pam
}

You'll obviously have some sort of sql auth-type and probably won't
need the LDAP stuff.

Hope this helps.

R. Marc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html