How to do FreeRADIUS understand the ssh encrypted password that is passed?
Hello all. It is me again. Sorry for that. I have my enviroment working fine for telnet access, my FreeRADIUS server is doing the user search on LDAP with no problem but, when I use any ssh session is passed a encryped password that RADIUS try to use with LDAP database, found the user but the password is considered wrong and regect my access. I searched for configuration and what I saw it is very similar whith I have here. The unic diference is that I am using a EdgeRouter Lite but I am folling the documentation and using the GUI tool. Can any one help me? Best regards. -- Atenciosamente, Kalil de A. Carvalho
On Jul 27, 2017, at 1:22 PM, Kalil de A. Carvalho <kalilac@gmail.com> wrote:
I have my enviroment working fine for telnet access, my FreeRADIUS server is doing the user search on LDAP with no problem but, when I use any ssh session is passed a encryped password that RADIUS
What does that mean? It's almost always best to post the actual debug output. That is much clearer than vague descriptions.
try to use with LDAP database, found the user but the password is considered wrong and regect my access.
My *guess* is that the SSH session is set up to use PAM. And that PAM is mangling to the password to "invalid" or some such string. Again, reading the debug output would show you this.
I searched for configuration and what I saw it is very similar whith I have here. The unic diference is that I am using a EdgeRouter Lite but I am folling the documentation and using the GUI tool.
Can any one help me?
Post the debug output as suggested in the "man" page, FAQ, web pages, and daily on this list. Alan DeKok.
Hello Alan. Thanks for your replay. Here the parts of debug output that it is important, I think: "My *guess* is that the SSH session is set up to use PAM. And that PAM is mangling to the password to "invalid" or some such string." <- you ware right! Received Access-Request Id 51 from IP_SOURCE:10722 to SERVER_RADIUS:1812 length 89 User-Name = 'bo01' User-Password = '\010\n\r\177INCORRECT' NAS-IP-Address = 127.0.1.1 NAS-Identifier = 'sshd' NAS-Port = 9697 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 'CLIENT_TEST' Here is just show that the ldap search is working fine: User found. Comparison between membership: name (resolved from DN), check: name Here is the resolt of password confrontation: (2) ERROR: ldap : Bind credentials incorrect: Invalid credentials (2) ERROR: ldap : Server said: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1. Best regards, On Thu, Jul 27, 2017 at 2:55 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jul 27, 2017, at 1:22 PM, Kalil de A. Carvalho <kalilac@gmail.com> wrote:
I have my enviroment working fine for telnet access, my FreeRADIUS server is doing the user search on LDAP with no problem but, when I use any ssh session is passed a encryped password that RADIUS
What does that mean?
It's almost always best to post the actual debug output. That is much clearer than vague descriptions.
try to use with LDAP database, found the user but the password is considered wrong and regect my access.
My *guess* is that the SSH session is set up to use PAM. And that PAM is mangling to the password to "invalid" or some such string.
Again, reading the debug output would show you this.
I searched for configuration and what I saw it is very similar whith I have here. The unic diference is that I am using a EdgeRouter Lite but I am folling the documentation and using the GUI tool.
Can any one help me?
Post the debug output as suggested in the "man" page, FAQ, web pages, and daily on this list.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
-- Atenciosamente, Kalil de A. Carvalho
On Jul 27, 2017, at 3:27 PM, Kalil de A. Carvalho <kalilac@gmail.com> wrote:
Here the parts of debug output that it is important, I think:
Yes.
"My *guess* is that the SSH session is set up to use PAM. And that PAM is mangling to the password to "invalid" or some such string." <- you ware right!
Received Access-Request Id 51 from IP_SOURCE:10722 to SERVER_RADIUS:1812 length 89 User-Name = 'bo01' User-Password = '\010\n\r\177INCORRECT'
As I said. The problem is in PAM. No amount of poking FreeRADIUS will make it work. One of the other PAM modules is failing to find the user locally, and is mangling the password to "INCORRECT". PAM *requires* that users have local accounts. i.e. UID, GID, shell, etc. PAM *cannot* authenticate users who don't have local accounts. PAM is only for doing remote password checks. Not for remotely creating users. Alan DeKok.
participants (2)
-
Alan DeKok -
Kalil de A. Carvalho