SSH - No authenticate method (Auth-Type)
Hi All, I am a newbie to freeradius world. I am using freeradius 2.1.10 for authorization and authentication. My authorization works Sending Access-Request of id 58 to X.X.X.X port Y User-Name = "test" User-Password = "test" NAS-IP-Address = X.X.X.X NAS-Port = Y Framed-Protocol = PPP rad_recv: Access-Accept packet from host X.X.X.X port Y, id=58, length=38 The freeradius is setup with an oracle db backend. I would like to use the freeradius for my SSH. I have read some online blogs and setup my SSH with PAM. When I establish an SSH Session to the host and this is what I see in the logs. ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. If I am using the oracle DB(sql) to perform authorization and it works what needs to be done to use the same oracle DB(sql maybe other tables) for authentication. Need your help or guidance with some links/documentation on how to set SSH+ Freeradius Thanks JK
Sending Access-Request of id 58 to X.X.X.X port Y User-Name = "test" User-Password = "test" NAS-IP-Address = X.X.X.X NAS-Port = Y Framed-Protocol = PPP rad_recv: Access-Accept packet from host X.X.X.X port Y, id=58, length=38 The freeradius is setup with an oracle db backend.
I had something similar with PAM. What I did is have a user entry like: DEFAULT Ldap-Group == "mygroup", Auth-Type = pam Reply-Message = "Hello (admin), %{User-Name}", Fall-Through = No and in my sites-enabled default: authorize { preprocess auth_log files ldap } authenticate { pam } You'll obviously have some sort of sql auth-type and probably won't need the LDAP stuff. Hope this helps. R. Marc
Thanks Marc, I am trying to use the Freeradius for authentication and authorization of SSH users with the oracle backend. Not sure how I need to use the below info in my setup. Problems of being a newbie. On Thu, Feb 17, 2011 at 5:42 PM, Marc Phillips <rmarc@copacetic.net> wrote:
Sending Access-Request of id 58 to X.X.X.X port Y User-Name = "test" User-Password = "test" NAS-IP-Address = X.X.X.X NAS-Port = Y Framed-Protocol = PPP rad_recv: Access-Accept packet from host X.X.X.X port Y, id=58, length=38 The freeradius is setup with an oracle db backend.
I had something similar with PAM. What I did is have a user entry like:
DEFAULT Ldap-Group == "mygroup", Auth-Type = pam Reply-Message = "Hello (admin), %{User-Name}", Fall-Through = No
and in my sites-enabled default:
authorize { preprocess auth_log files ldap }
authenticate { pam }
You'll obviously have some sort of sql auth-type and probably won't need the LDAP stuff.
Hope this helps.
R. Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What I am trying to setup is as follows 1. Oracle Backend for Authenticating SFTP Clients( openssh ) What I have done so far Setup a second ssh for the SFTP only Updated the sshd_config for using PAM. Request comes to AAA and fails as shown in the logs below. Also note teh password shows as *"\010\n\r\177INCORRECT"* The sites-enabled default looks like the following " authorize { sql expiration logintime } authenticate { # I have tried just pam as you have suggested and it still says No-Auth Auth-Type PAM { pam } } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp exec attr_filter.accounting_response } session { radutmp } post-auth { sql } pre-proxy { } post-proxy { } " As requested I am attaching the radiusd -X log rad_recv: Access-Request packet from host Y.Y.Y.Y port 6975, id=15, length=114 User-Name = "test" *User-Password = "\010\n\r\177INCORRECT"* NAS-IP-Address = Y.Y.Y.Y NAS-Identifier = "openssh" NAS-Port = 5950 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "somebody" # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} [sql] expand: %{User-Name} -> test [sql] sql_set_user escaped user -->test rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM radusergroup WHERE UserName='test' [sql] expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,radusergroup WHERE radusergroup.Username = '%{SQL-User-Name}' AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,radusergroup WHERE radusergroup.Username = 'test' AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id [sql] User found in group SFTP_Client [sql] expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,radusergroup WHERE radusergroup.Username = '%{SQL-User-Name}' AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,radusergroup WHERE radusergroup.Username = 'test' AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 15 to 199.106.120.244 port 6975 Password == "test" Waking up in 4.9 seconds. Cleaning up request 0 ID 15 with timestamp +10 Ready to process requests. On Thu, Feb 17, 2011 at 5:42 PM, Marc Phillips <rmarc@copacetic.net> wrote:
Sending Access-Request of id 58 to X.X.X.X port Y User-Name = "test" User-Password = "test" NAS-IP-Address = X.X.X.X NAS-Port = Y Framed-Protocol = PPP rad_recv: Access-Accept packet from host X.X.X.X port Y, id=58, length=38 The freeradius is setup with an oracle db backend.
I had something similar with PAM. What I did is have a user entry like:
DEFAULT Ldap-Group == "mygroup", Auth-Type = pam Reply-Message = "Hello (admin), %{User-Name}", Fall-Through = No
and in my sites-enabled default:
authorize { preprocess auth_log files ldap }
authenticate { pam }
You'll obviously have some sort of sql auth-type and probably won't need the LDAP stuff.
Hope this helps.
R. Marc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jaikanth Krishnaswamy wrote:
Setup a second ssh for the SFTP only Updated the sshd_config for using PAM. Request comes to AAA and fails as shown in the logs below. Also note teh password shows as *"\010\n\r\177INCORRECT"*
SSH has replaced the password with that text. There is *nothing* you can do to FreeRADIUS that will fix the problem. Go fix the PAM configuration on the client machine so that it doesn't destroy the password entered by the user. Alan DeKok.
On 18/02/11 01:03, Jaikanth Krishnaswamy wrote:
Hi All, I am a newbie to freeradius world. I am using freeradius 2.1.10 for authorization and authentication. My authorization works Sending Access-Request of id 58 to X.X.X.X port Y User-Name = "test" User-Password = "test" NAS-IP-Address = X.X.X.X NAS-Port = Y Framed-Protocol = PPP rad_recv: Access-Accept packet from host X.X.X.X port Y, id=58, length=38 The freeradius is setup with an oracle db backend.
The basic step is to have the Oracle database return: username Cleartext-Password := thepassword ...and have: authorize { ... pap } authenticate { Auth-Type PAP { pap } } If you can't get it working, send the full debug output as the docs request: radiusd -X | tee log
participants (4)
-
Alan DeKok -
Jaikanth Krishnaswamy -
Marc Phillips -
Phil Mayers