Re: Question on pam_radius_auth module getting INCORRECT
Hi Alan, I took out all the pam modules from my auth stack in /etc/pam/sshd except for pam_radius_auth. The problem didn't go away. I am not using SElinux either. One interesting thing I noticed is that first login attempt always fails due to this problem. But the second attempt after restarting the ssh session then it succeeds. This makes me wonder if somehow the password was stored on the first try and correctly retrieved on the second try. But I have no clue what happened. David
------------------------------
Message: 2 Date: Mon, 14 Apr 2014 20:53:52 -0400 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: Question on pam_radius_auth module getting INCORRECT password Message-ID: <534C8320.8010907@deployingradius.com> Content-Type: text/plain; charset=UTF-8
David Li wrote:
I am new to this. Please let me know if there is a better list to post this question.
It's an OK list.
I have been trying to track down a wired problem. When a user is logging via ssh, the pam_radius_auth module would try to retrieve the password and send it to the radius server. But the password returned by the rad_converse() function is INCORRECT.
I have done some searching and found suggestions that there might be something wrong with "other" module that is doing the password checking.
My real question is how I can find out which module is the culprit.
It should be simple. Look at the pam ssh file, and see which modules it's using. Then, delete them one by one until it works.
But largely this is a PAM issue. I know very little about PAM, even after spending time reading the docs and programming it.
Alan DeKok.
------------------------------
David Li wrote:
I took out all the pam modules from my auth stack in /etc/pam/sshd except for pam_radius_auth. The problem didn't go away. I am not using SElinux either.
I don't know. PAM is... weird. It makes RADIUS look sane and pretty.
One interesting thing I noticed is that first login attempt always fails due to this problem. But the second attempt after restarting the ssh session then it succeeds. This makes me wonder if somehow the password was stored on the first try and correctly retrieved on the second try. But I have no clue what happened.
Ask the PAM people. I don't know much about it myself, sorry. Alan DeKok.
participants (2)
-
Alan DeKok -
David Li