What I am trying to setup is as follows
1. Oracle Backend for Authenticating SFTP Clients( openssh )
What I have done so far
Setup a second ssh for the SFTP only
Updated the sshd_config for using PAM.
Request comes to AAA and fails as shown in the logs below.
Also note teh password shows as "\010\n\r\177INCORRECT"
The sites-enabled default looks like the following
"
authorize {
sql
expiration
logintime
}
authenticate {
# I have tried just pam as you have suggested and it still says No-Auth
Auth-Type PAM {
pam
}
}
preacct {
preprocess
acct_unique
suffix
files
}
accounting {
detail
unix
radutmp
exec
attr_filter.accounting_response
}
session {
radutmp
}
post-auth {
sql
}
pre-proxy {
}
post-proxy {
}
"
As requested I am attaching the radiusd -X log
rad_recv: Access-Request packet from host Y.Y.Y.Y port 6975, id=15, length=114
User-Name = "test"
User-Password = "\010\n\r\177INCORRECT"
NAS-IP-Address = Y.Y.Y.Y
NAS-Identifier = "openssh"
NAS-Port = 5950
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "somebody"
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
[sql] expand: %{User-Name} -> test
[sql] sql_set_user escaped user -->test
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM radusergroup WHERE UserName='test'
[sql] expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,radusergroup WHERE radusergroup.Username = '%{SQL-User-Name}' AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,radusergroup WHERE radusergroup.Username = 'test' AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
[sql] User found in group SFTP_Client
[sql] expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,radusergroup WHERE radusergroup.Username = '%{SQL-User-Name}' AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,radusergroup WHERE radusergroup.Username = 'test' AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 15 to 199.106.120.244 port 6975
Password == "test"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 15 with timestamp +10
Ready to process requests.
> Sending Access-Request of id 58 to X.X.X.X port YI had something similar with PAM. What I did is have a user entry like:
> User-Name = "test"
> User-Password = "test"
> NAS-IP-Address = X.X.X.X
> NAS-Port = Y
> Framed-Protocol = PPP
> rad_recv: Access-Accept packet from host X.X.X.X port Y, id=58, length=38
> The freeradius is setup with an oracle db backend.
DEFAULT Ldap-Group == "mygroup", Auth-Type = pam
Reply-Message = "Hello (admin), %{User-Name}",
Fall-Through = No
and in my sites-enabled default:
authorize {
preprocess
auth_log
files
ldap
}
authenticate {
pam
}
You'll obviously have some sort of sql auth-type and probably won't
need the LDAP stuff.
Hope this helps.
R. Marc
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html