libpam-radius-auth password problem
I am trying to configure a linux machine (Ubuntu 8.04 alpha, 32 bit) with radius authentication using libpam-radius-auth. I installed freeradius-2.0.3 (from selfbuilded deb package) on the same machine and added this line at the top of users file: testuser Cleartext-Password := "testing" Then I installed libpam-radius-auth 1.3.17-0ubuntu1 from the ubuntu repositories. I added the radius entry in /etc/pam.d/sshd: [...] auth required pam_env.so envfile=/etc/default/locale auth sufficient pam_radius_auth.so debug # Standard Un*x authentication. @include common-auth [...] and this on pam_radius_auth.conf: # server[:port] shared_secret timeout (s) 127.0.0.1 testing123 1 When I try to authenticate with ssh into the machine I noticed that freeradius receive this password "\010\n\r\177INCORRECT", that it's not the one I typed. This is the output of auth.log: Mar 18 18:05:59 test sshd[2533]: pam_radius_auth: Got user name testuser Mar 18 18:05:59 test sshd[2533]: pam_radius_auth: Sending RADIUS request code 1 Mar 18 18:05:59 test sshd[2533]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -1211761632. Mar 18 18:06:00 test sshd[2533]: pam_radius_auth: RADIUS server 127.0.0.1 failed to respond Mar 18 18:06:00 test sshd[2533]: pam_radius_auth: All RADIUS servers failed to respond. Mar 18 18:06:00 test sshd[2533]: pam_radius_auth: authentication failed Mar 18 18:06:00 test sshd[2533]: pam_unix(sshd:auth): check pass; user unknown Mar 18 18:06:00 test sshd[2533]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fabio-mac.local Mar 18 18:06:02 test sshd[2533]: Failed password for invalid user testuser from 10.33.4.8 port 57680 ssh2 This is the output of freeradius -X rad_recv: Access-Request packet from host 127.0.0.1 port 3558, id=65, length=93 User-Name = "testuser" User-Password = "\010\n\r\177INCORRECT" NAS-IP-Address = 127.0.1.1 NAS-Identifier = "sshd" NAS-Port = 2533 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "fabio-mac.local" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound users: Matched entry testuser at line 50 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "? INCORRECT" rlm_pap: Using clear text password "testing" rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [testuser/\010\n\r\177INCORRECT] (from client localhost port 2533 cli fabio-mac.local) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 65 to 127.0.0.1 port 3558 Waking up in 4.9 seconds. Cleaning up request 2 ID 65 with timestamp +135 Ready to process requests. Testig with radtest works fine. I noticed a similar problem some time ago, that seemed to be related to 64 bit machines: http://lists.cistron.nl/pipermail/freeradius-users/2006-August/055877.html However I am using a 32 bit machine on an updated system. Where could be the problem? Thanks, Fabio
Fabio Pedretti wrote:
When I try to authenticate with ssh into the machine I noticed that freeradius receive this password "\010\n\r\177INCORRECT", that it's not the one I typed.
That's a PAM problem. There's little you can do to RADIUS to fix that. I suggest asking on a PAM list. Alan DeKok.
Citando Alan DeKok <aland@deployingradius.com>:
Fabio Pedretti wrote:
When I try to authenticate with ssh into the machine I noticed that freeradius receive this password "\010\n\r\177INCORRECT", that it's not the one I typed.
That's a PAM problem. There's little you can do to RADIUS to fix that.
It appears that this error is get when users are not already on the machine. The libpam-radius-auth plugin is powerful but has the limit that users have to be previously created on the machine and this is not practical when you have thousand of users that could access to the machine (e.g. universities informatic laboratories). A similar plugin for Windows (pGina + RADIUS plugin) is able to automatically create the users after first succesful authentication. Would be nice if a future version will be able to also create users - what a "useradd myuser" would do - after first succesful authentication. Fabio
Fabio Pedretti wrote:
It appears that this error is get when users are not already on the machine.
Yes, it's a PAM problem.
The libpam-radius-auth plugin is powerful but has the limit that users have to be previously created on the machine and this is not practical when you have thousand of users that could access to the machine (e.g. universities informatic laboratories). A similar plugin for Windows (pGina + RADIUS plugin) is able to automatically create the users after first succesful authentication.
Because Windows has a different API.
Would be nice if a future version will be able to also create users - what a "useradd myuser" would do - after first succesful authentication.
Sure. Send a patch. Alan DeKok.
participants (2)
-
Alan DeKok -
Fabio Pedretti