exec module bash script authentication
Dear All, I am new at freeradius (2.1.4) I am using sql authentication with mysql successfuly and I want to add second authentication via bash. (if sql authentication fail then check bash authentication) I added file (bashauth) to module directory exec bashauth { wait = yes program = "/usr/local/bin/bash /bin/radcheck %{User-Name} %{User-Password}" input_pairs = request output_pairs = reply shell_escape = yes } then I modified sites-enabled/default authorize { ... bashouth pap } authenticate { Auth-Type BASHAUTH { bashauth } ... } but I cant authenticate user via bash script radiusd -X output is below. [bashauth] expand: %{User-Name} -> a [bashauth] expand: %{User-Password} -> a Exec-Program output: Exec-Program: returned: 0 ++[bashauth] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. What must I do for solving problem? Thanks for your help, Ahmet
Ahmet Hakan wrote:
I am new at freeradius (2.1.4)
I'd suggest upgrading, but whatever...
I am using sql authentication with mysql successfuly and I want to add second authentication via bash. (if sql authentication fail then check bash authentication)
That's usually bad practice. An authentication reject is a reject. Trying *another* method is usually wrong. Instead, figure out which method is supposed to be used, and use that. Also, using the "exec" functionality will slow the server down. Especially under load.
I added file (bashauth) to module directory
exec bashauth { wait = yes program = "/usr/local/bin/bash /bin/radcheck %{User-Name} %{User-Password}"
Huh? Why "/usr/local/bin/bash /bin/radcheck" ? Why not just run radcheck directly? And that exposes the password to anyone running "ps".
then I modified sites-enabled/default
authorize { ... bashouth
Why are you listing it in the "authorize" section?
but I cant authenticate user via bash script
radiusd -X output is below.
[bashauth] expand: %{User-Name} -> a [bashauth] expand: %{User-Password} -> a Exec-Program output: Exec-Program: returned: 0 ++[bashauth] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user.
The above message is fairly clear. Perhaps you could try setting Auth-Type := bashauth. Alan DeKok.
Alan DeKok wrote:
I am using sql authentication with mysql successfuly and I want to add second authentication via bash. (if sql authentication fail then check bash authentication)
That's usually bad practice. An authentication reject is a reject. Trying *another* method is usually wrong. Instead, figure out which method is supposed to be used, and use that.
I have separate databases; mysql, ldap and Microsoft SQL so I need multiple authentication. is multiple authentication possible in freeradius? if yes, how?
I added file (bashauth) to module directory
exec bashauth { wait = yes program = "/usr/local/bin/bash /bin/radcheck %{User-Name} %{User-Password}"
Huh? Why "/usr/local/bin/bash /bin/radcheck" ? Why not just run radcheck directly?
And that exposes the password to anyone running "ps".
I corrected. Server is single user system no another users exist.
Perhaps you could try setting Auth-Type := bashauth.
Which section must I define this setting? I defined it in users file, DEFAULT Auth-Type := "bashauth" but it overrides mysql authentication. Best Regards, Ahmet Hakan
Ahmet Hakan wrote:
I am new at freeradius (2.1.4)
I'd suggest upgrading, but whatever...
I am using sql authentication with mysql successfuly and I want to add second authentication via bash. (if sql authentication fail then check bash authentication)
That's usually bad practice. An authentication reject is a reject. Trying *another* method is usually wrong. Instead, figure out which method is supposed to be used, and use that.
Also, using the "exec" functionality will slow the server down. Especially under load.
I added file (bashauth) to module directory
exec bashauth { wait = yes program = "/usr/local/bin/bash /bin/radcheck %{User-Name} %{User-Password}"
Huh? Why "/usr/local/bin/bash /bin/radcheck" ? Why not just run radcheck directly?
And that exposes the password to anyone running "ps".
then I modified sites-enabled/default
authorize { ... bashouth
Why are you listing it in the "authorize" section?
but I cant authenticate user via bash script
radiusd -X output is below.
[bashauth] expand: %{User-Name} -> a [bashauth] expand: %{User-Password} -> a Exec-Program output: Exec-Program: returned: 0 ++[bashauth] returns ok [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user.
The above message is fairly clear.
Perhaps you could try setting Auth-Type := bashauth.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ahmet Hakan wrote:
I have separate databases; mysql, ldap and Microsoft SQL so I need multiple authentication.
No. Databases store data. They do NOT do authentication. FreeRADIUS is an authentication server. It pulls information from a database. It uses that information to authenticate the user.
is multiple authentication possible in freeradius? if yes, how?
You're asking the wrong question. This is because the server doesn't work the way you think. What you SHOULD do (and what everyone else does) is to determine WHICH database to use, in the "authorize" section. Maybe you can look at the user name (user@example.com, versus user@exampleorg), or you can look at the NAS (dial-up versus DSL), or something else. Use that information to decide which database to query. Then, FreeRADIUS will authenticate the user. Alan DeKok.
participants (2)
-
Ahmet Hakan -
Alan DeKok