local ssh authentication via radius possible?
I've read the faq, wiki, etc and the sample configs that come with freeradius, but I'm a bit stuck I want to have users use SSH to login to the server, but use radius as the authentication method, is this possible? and if so, what would a sample config look like for this? sorry, I'm a bit lost trying to wrap my head around how this concept would work. _________________________________________________________________ Have fun while connecting on Messenger! Click here to learn more. http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
Dan Gahlinger wrote:
I've read the faq, wiki, etc and the sample configs that come with freeradius, but I'm a bit stuck
I want to have users use SSH to login to the server, but use radius as the authentication method, is this possible?
Yes. SSH calls PAM. PAM uses the pam_radius_auth plugin, which talks to a RADIUS server. Alan DeKok.
I understand that part. But I'm not talking about going to another server, I'm talking locally. so PAM can talk to the local radius server on the server the user is connecting to? I still can't figure out how to configure this, which is where I really need the help. the dial-up/telnet examples don't help at all. thanks
Date: Wed, 21 Nov 2007 19:41:46 +0100 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: local ssh authentication via radius possible?
Dan Gahlinger wrote:
I've read the faq, wiki, etc and the sample configs that come with freeradius, but I'm a bit stuck
I want to have users use SSH to login to the server, but use radius as the authentication method, is this possible?
Yes. SSH calls PAM. PAM uses the pam_radius_auth plugin, which talks to a RADIUS server.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Send a smile, make someone laugh, have some fun! Start now! http://www.freemessengeremoticons.ca/?icid=EMENCA122
Dan Gahlinger wrote:
I understand that part. But I'm not talking about going to another server, I'm talking locally. so PAM can talk to the local radius server on the server the user is connecting to?
The pam_radius_auth module can. Just tell it that the RADIUS server is 127.0.0.1
I still can't figure out how to configure this, which is where I really need the help. the dial-up/telnet examples don't help at all.
What else do you want to do? Alan DeKok.
How do I configure PAM to use radius? ----------------------------------------
Date: Wed, 21 Nov 2007 21:45:32 +0100 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: local ssh authentication via radius possible?
Dan Gahlinger wrote:
I understand that part. But I'm not talking about going to another server, I'm talking locally. so PAM can talk to the local radius server on the server the user is connecting to?
The pam_radius_auth module can. Just tell it that the RADIUS server is 127.0.0.1
I still can't figure out how to configure this, which is where I really need the help. the dial-up/telnet examples don't help at all.
What else do you want to do?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ R U Ready for Windows Live Messenger Beta 8.5? Try it today! http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
there is a lot of documentation missing. for example, when users are using "SSH" what's the "Login-Service" supposed to be? setting it to "SSH" doesn't work. so many unanswered questions about this. with SSH we don't want to assign the user an IP address so I just used "Login-IP-Host" and Service-Type "Login-User" radiusd also complains unknown module "files" this could really use a "newbie" setup guide with examples....
Date: Sat, 24 Nov 2007 07:35:54 +0100 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: local ssh authentication via radius possible?
Dan Gahlinger wrote:
How do I configure PAM to use radius?
See the documentation in the pam_radius_auth module. It's on the freeradius web page.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Are you ready for Windows Live Messenger Beta 8.5 ? Get the latest for free today! http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
From RFC:
Values for RADIUS Attribute 15, Login-Service: Value Description Reference ----- ----------- --------- 0 Telnet 1 Rlogin 2 TCP Clear 3 PortMaster (proprietary) 4 LAT 5 X25-PAD 6 X25-T3POS 7 (unassigned) 8 TCP Clear Quiet (suppresses any NAS-generated connect string)
setting it to "SSH" doesn't work.
Now you know why. Ivan Kalik Kalik Informatika ISP
So what are we supposed to use for SSH then? TCP Clear? or TCP Clear Quiet? Dan.
To: freeradius-users@lists.freeradius.org Subject: RE: local ssh authentication via radius possible? Date: Mon, 26 Nov 2007 17:02:16 +0100 From: tnt@kalik.co.yu
From RFC:
Values for RADIUS Attribute 15, Login-Service:
Value Description Reference ----- ----------- --------- 0 Telnet 1 Rlogin 2 TCP Clear 3 PortMaster (proprietary) 4 LAT 5 X25-PAD 6 X25-T3POS 7 (unassigned) 8 TCP Clear Quiet (suppresses any NAS-generated connect string)
setting it to "SSH" doesn't work.
Now you know why.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ R U Ready for Windows Live Messenger Beta 8.5? Try it today! http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
nope. I didn't touch the default radiusd.conf (out of the package) I think I need to resolve this Login-Service first. it can't parse the users file because of it. so which Login-Service do I use?
To: freeradius-users@lists.freeradius.org Subject: RE: local ssh authentication via radius possible? Date: Mon, 26 Nov 2007 17:08:59 +0100 From: tnt@kalik.co.yu
radiusd also complains unknown module "files"
And that would be the result of you hacking the default radiusd.conf. Leave it alone, and it will work.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ R U Ready for Windows Live Messenger Beta 8.5? Try it today! http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
it doesn't like my config, even with "TCP Clear"- testing Cleartext-Password := "callme" Service-Type = Login-User, Login-Service = TCP Clear, Login-IP-Host = testing.mydomain.com this is frustrating. and i'm not even sure this is correct for SSH?
To: freeradius-users@lists.freeradius.org Subject: RE: local ssh authentication via radius possible? Date: Mon, 26 Nov 2007 17:08:59 +0100 From: tnt@kalik.co.yu
radiusd also complains unknown module "files"
And that would be the result of you hacking the default radiusd.conf. Leave it alone, and it will work.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Have fun while connecting on Messenger! Click here to learn more. http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
Dan Gahlinger wrote:
it doesn't like my config, even with "TCP Clear"-
testing Cleartext-Password := "callme" Service-Type = Login-User, Login-Service = TCP Clear, Login-IP-Host = testing.mydomain.com
You have to use the names from the dictionaries. "TCP clear" is two words, and is not a name from the dictionaries. In any case, the PAM RADIUS module doesn't need "TCP Clear". If you're using something else to do RADIUS authentication, see it's documentation for what it needs.
this is frustrating. and i'm not even sure this is correct for SSH?
Perhaps the SSH documentation says something? You've been very careful to not show the output of debugging mode, either on the server or on the client (if it has one). You've also been careful to hide which RADIUS client you're using. This makes it difficult to help you. You're saying "Hi, I'm using stuff to login, but it doesn't work. Help me!" Those kind of questions are content-free, and actively prevent anyone from helping you. Alan DeKok.
The SSH documentation doesnt say anything about using radius or configuring the Radius users file. why would it? that makes no sense. The pam_radius_auth documentation, while useful, makes no mention of the radius users file. I have not been "careful" to hide or keep anything. I just didn't think the log output was useful but, since I'm new to this, here you go (from the most recent attempt): Mon Nov 26 11:15:30 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 11:15:30 2007 : Error: /etc/raddb/users[143]: Parse error (reply) for entry testing: Expected end of line or comma Mon Nov 26 11:15:30 2007 : Error: Errors reading /etc/raddb/users Mon Nov 26 11:15:30 2007 : Error: radiusd.conf[1067]: files: Module instantiation failed. Mon Nov 26 11:15:30 2007 : Error: radiusd.conf[1852] Unknown module "files". Mon Nov 26 11:15:30 2007 : Error: radiusd.conf[1788] Failed to parse authorize section. and here it is from the previous attempt at using "ssh" as a login-service: Mon Nov 26 11:14:54 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 11:14:54 2007 : Error: /etc/raddb/users[143]: Parse error (reply) for entry testing: Unknown value ssh for attribute Logi n-Service Mon Nov 26 11:14:54 2007 : Error: Errors reading /etc/raddb/users Mon Nov 26 11:14:54 2007 : Error: radiusd.conf[1067]: files: Module instantiation failed. Mon Nov 26 11:14:54 2007 : Error: radiusd.conf[1852] Unknown module "files". Mon Nov 26 11:14:54 2007 : Error: radiusd.conf[1788] Failed to parse authorize section. BTW that is the REAL name of my server, it just happens to be in a test environment. I wanted to keep things simple. I will check the dictionary and see how "tcp clear" should be entered. However, your email suggests that this is not the correct avenue to pursue, and as such, I'm lost, again. I'm using the base install, and changed only the users file for the radius server config the pam config seemed fairly straight-forward, just add the auth/account lines. everything else is straight out of the box, I even used the sample secrets to keep it simple. I want as few variables as possible while testing this. here's my pam sshd config anyhow: #%PAM-1.0 auth requisite pam_nologin.so auth sufficient /lib/security/pam_radius_auth.so debug auth include common-auth account sufficient /lib/security/pam_radius_auth.so account include common-account password sufficient /lib/security/pam_radius_auth.so password include common-password session required pam_loginuid.so session include common-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README) #session optional pam_resmgr.so fake_ttyname nothing too exciting
Date: Mon, 26 Nov 2007 18:17:33 +0100 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: local ssh authentication via radius possible?
Dan Gahlinger wrote:
it doesn't like my config, even with "TCP Clear"-
testing Cleartext-Password := "callme" Service-Type = Login-User, Login-Service = TCP Clear, Login-IP-Host = testing.mydomain.com
You have to use the names from the dictionaries. "TCP clear" is two words, and is not a name from the dictionaries.
In any case, the PAM RADIUS module doesn't need "TCP Clear". If you're using something else to do RADIUS authentication, see it's documentation for what it needs.
this is frustrating. and i'm not even sure this is correct for SSH?
Perhaps the SSH documentation says something?
You've been very careful to not show the output of debugging mode, either on the server or on the client (if it has one). You've also been careful to hide which RADIUS client you're using.
This makes it difficult to help you. You're saying "Hi, I'm using stuff to login, but it doesn't work. Help me!" Those kind of questions are content-free, and actively prevent anyone from helping you.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Have fun while connecting on Messenger! Click here to learn more. http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
Dan Gahlinger wrote:
The SSH documentation doesnt say anything about using radius or configuring the Radius users file. why would it? that makes no sense.
Because you haven't said which RADIUS client you're using. Maybe SSH has a RADIUS plugin...
The pam_radius_auth documentation, while useful, makes no mention of the radius users file.
Of course not. It's a client. The "users" file is only for the server.
I have not been "careful" to hide or keep anything. I just didn't think the log output was useful but, since I'm new to this, here you go (from the most recent attempt):
The FAQ, README, INSTALL, and many messages on this list make it clear that running in debugging mode, and posting the output to this list, is the only way to solve many problems.
Mon Nov 26 11:15:30 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 11:15:30 2007 : Error: /etc/raddb/users[143]: Parse error (reply) for entry testing: Expected end of line or comma
You edited the "users" file, and broke it.
and here it is from the previous attempt at using "ssh" as a login-service:
Which isn't documented as a permitted Login-Service for the server. And it isn't documented as being necessary for the pam_radius_auth module.
I will check the dictionary and see how "tcp clear" should be entered. However, your email suggests that this is not the correct avenue to pursue, and as such, I'm lost, again.
Perhaps you could explain why you're so fixated on setting Login-Service? The pam_radius_auth documentation doesn't say that it's needed.
everything else is straight out of the box, I even used the sample secrets to keep it simple. I want as few variables as possible while testing this.
Try starting the server without changing ANYTHING. When you log in over SSH, does the PAM module send a RADIUS request? Does the server receive it? You seem to have wandered down a configuration path that isn't required, and you're doing things that aren't documented. Stop trying to do complicated things, and go back to the default configurations and simple tests. Alan DeKok.
the client software I'm using is SecureCRT (windows - from vandyke) its a windows SSH client. I don't understand most of what you said here. Hence my problem. I did configure pam_radius with "debug" option. there is no output created. It's impossible to tell if things are working the way they should Login-Service is set to "TCP-Clear" now, and the log file produces only this: Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 12:43:45 2007 : Info: Ready to process requests. and nothing else. No other logs anywhere, not even a failed "ssh" log in messages, warn, etc. Maybe I should restate, clearly, what I'm trying to do. and see if it's possible, or makes sense. we need a regular user using SSH client such as SecureCRT, or Putty, etc without modification, to login via SSH to a linux server, and have the server use Radius for authentication. These are "local" users with shell access. The radius would be local. So instead of using the local password file, we want to use Radius. Eventually the server they're logging into will point their radius to another radius server (also linux) running on the network. I have no idea what I'm doing, so I'm grasping at straws. You said to read the documentation, which, there wasn't much of in this regard, but I did anyhow. Then you said to read pam_radius_auth, which I did, and attempted to implement. Thankfully, logins using the local password file still works. Using everything in the defaults without changing the user file doesn't make sense, because that's what we want to use for authentication, only, in our case, it'd be on a central server instead of local, but I want to get local testing working first, just to make sure I understand it all. at this point, I don't understand any of it, and yelling at me for doing the wrong things isn't helping. you've seen my configuration files. I don't know how it should work, because I have no idea how it should look. I'd appreciate a little bit of help here, some hints, some sample configs, would really really help. I mean, if it's even possible to do what we're trying to do.
Date: Mon, 26 Nov 2007 20:33:13 +0100 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: local ssh authentication via radius possible?
Dan Gahlinger wrote:
The SSH documentation doesnt say anything about using radius or configuring the Radius users file. why would it? that makes no sense.
Because you haven't said which RADIUS client you're using. Maybe SSH has a RADIUS plugin...
The pam_radius_auth documentation, while useful, makes no mention of the radius users file.
Of course not. It's a client. The "users" file is only for the server.
I have not been "careful" to hide or keep anything. I just didn't think the log output was useful but, since I'm new to this, here you go (from the most recent attempt):
The FAQ, README, INSTALL, and many messages on this list make it clear that running in debugging mode, and posting the output to this list, is the only way to solve many problems.
Mon Nov 26 11:15:30 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 11:15:30 2007 : Error: /etc/raddb/users[143]: Parse error (reply) for entry testing: Expected end of line or comma
You edited the "users" file, and broke it.
and here it is from the previous attempt at using "ssh" as a login-service:
Which isn't documented as a permitted Login-Service for the server. And it isn't documented as being necessary for the pam_radius_auth module.
I will check the dictionary and see how "tcp clear" should be entered. However, your email suggests that this is not the correct avenue to pursue, and as such, I'm lost, again.
Perhaps you could explain why you're so fixated on setting Login-Service? The pam_radius_auth documentation doesn't say that it's needed.
everything else is straight out of the box, I even used the sample secrets to keep it simple. I want as few variables as possible while testing this.
Try starting the server without changing ANYTHING. When you log in over SSH, does the PAM module send a RADIUS request? Does the server receive it?
You seem to have wandered down a configuration path that isn't required, and you're doing things that aren't documented. Stop trying to do complicated things, and go back to the default configurations and simple tests.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Have fun while connecting on Messenger! Click here to learn more. http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
Dan Gahlinger wrote:
I don't understand most of what you said here. Hence my problem.
The problem is that you're trying to configure 4-5 separate things at the same time, without understanding how most of them work. As a result, you're frustrated, and not making progress.
Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 12:43:45 2007 : Info: Ready to process requests.
and nothing else. No other logs anywhere, not even a failed "ssh" log in messages, warn, etc.
i.e. PAM isn't using RADIUS for authentication. Fix that. Read the PAM documentation.
we need a regular user using SSH client such as SecureCRT, or Putty, etc without modification, to login via SSH to a linux server, and have the server use Radius for authentication.
These are "local" users with shell access. The radius would be local. So instead of using the local password file, we want to use Radius.
That will work, but they will need a uid/gid etc. in /etc/passwd.
Using everything in the defaults without changing the user file doesn't make sense, because that's what we want to use for authentication, only, in our case, it'd be on a central server instead of local, but I want to get local testing working first, just to make sure I understand it all.
Which is why I said to use the defaults. If you don't know what it's doing, then DON'T CHANGE ANTYTHING. The default configuration WORKS. Every change you've made has broken it.
at this point, I don't understand any of it, and yelling at me for doing the wrong things isn't helping.
No, I'm telling you that making random changes won't work. I'm telling you that making changes that aren't recommended in the documentation is not a good idea. I'm telling you that reading the documentation and following it's recommendations is a good idea.
you've seen my configuration files. I don't know how it should work, because I have no idea how it should look.
They should look like the samples. It's not hard.
I'd appreciate a little bit of help here, some hints, some sample configs, would really really help.
The sample configurations work. However, it's clear that for whatever reason, SSH isn't using PAM, *or*, PAM isn't using the pam_radius_auth module, *or* the pam_radius_auth module isn't configured to use the correct RADIUS server. As a result, the RADIUS server isn't receiving login requests. As a result of that, no amount of fighting with the RADIUS configuration will help. So all of the time you put into configuring "Login-Server" was wasted.
I mean, if it's even possible to do what we're trying to do.
Yes. I will also note that I asked a number of questions in my last message, and you haven't answered any of them. Either you didn't understand them, or you don't think they're important. Part of the reason this is so difficult for you is that you are fighting every attempt by anyone to help you. You're stuck on one particular mind-set that is preventing anyone from helping you, and preventing you from solving the problem. Until you give up that mindset, and let people help you, you won't solve the problem. You'll only get more and more frustrated. Alan DeKok.
I'm not fighting you at all. All of your answers previously were "read the documentation, it's there". well, it's not. definitely not. the pam_radius_auth link you gave me states: In the per-application configuration add: auth sufficient /lib/security/pam_radius_auth.so AFTER auth sufficient /lib/security/pam_securetty.so and BEFORE: auth required /lib/security/pam_unix_auth.so take a look at my config - /etc/pam.d/sshd #%PAM-1.0 auth requisite pam_nologin.so auth sufficient /lib/security/pam_radius_auth.so debug auth include common-auth account sufficient /lib/security/pam_radius_auth.so account include common-account password include common-password session required pam_loginuid.so session include common-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README) #session optional pam_resmgr.so fake_ttyname pam_securetty is never referenced, except in /etc/pam.d/login so should it be in sshd or login, or both? it doesn't seem to make any difference. a "Default" radiusd install with NO changes (except server file as follows: 127.0.0.1 testing123 3 users in password file can login, but it doesn't seem to be using radius. the documentation for pam is as clear as mud. did it mean to modify the login file like this: #%PAM-1.0 auth requisite pam_nologin.so auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so debug auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session session required pam_lastlog.so nowtmp session required pam_resmgr.so session optional pam_mail.so standard session optional pam_ck_connector.so because that doesnt make any difference either. same result as with just sshd above I now have a "vanilla" radiusd config (with the one change to server file above), and trying to figure out the pam config. the documentation also states: "The pam configuration can be:" ... auth sufficient /lib/security/pam_radius_auth.so [options] ... account sufficient /lib/security/pam_radius_auth.so which is the first time the account directive is mentioned. so you now have my entire config, back to basics, trying to figure out the pam stuff... logins work, but they're not using radius. and there's nothing in the logs. even with "debug" option specified. Dan.
Date: Mon, 26 Nov 2007 21:51:34 +0100 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: local ssh authentication via radius possible?
Dan Gahlinger wrote:
I don't understand most of what you said here. Hence my problem.
The problem is that you're trying to configure 4-5 separate things at the same time, without understanding how most of them work. As a result, you're frustrated, and not making progress.
Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 12:43:45 2007 : Info: Ready to process requests.
and nothing else. No other logs anywhere, not even a failed "ssh" log in messages, warn, etc.
i.e. PAM isn't using RADIUS for authentication. Fix that. Read the PAM documentation.
we need a regular user using SSH client such as SecureCRT, or Putty, etc without modification, to login via SSH to a linux server, and have the server use Radius for authentication.
These are "local" users with shell access. The radius would be local. So instead of using the local password file, we want to use Radius.
That will work, but they will need a uid/gid etc. in /etc/passwd.
Using everything in the defaults without changing the user file doesn't make sense, because that's what we want to use for authentication, only, in our case, it'd be on a central server instead of local, but I want to get local testing working first, just to make sure I understand it all.
Which is why I said to use the defaults. If you don't know what it's doing, then DON'T CHANGE ANTYTHING. The default configuration WORKS. Every change you've made has broken it.
at this point, I don't understand any of it, and yelling at me for doing the wrong things isn't helping.
No, I'm telling you that making random changes won't work. I'm telling you that making changes that aren't recommended in the documentation is not a good idea. I'm telling you that reading the documentation and following it's recommendations is a good idea.
you've seen my configuration files. I don't know how it should work, because I have no idea how it should look.
They should look like the samples. It's not hard.
I'd appreciate a little bit of help here, some hints, some sample configs, would really really help.
The sample configurations work.
However, it's clear that for whatever reason, SSH isn't using PAM, *or*, PAM isn't using the pam_radius_auth module, *or* the pam_radius_auth module isn't configured to use the correct RADIUS server.
As a result, the RADIUS server isn't receiving login requests. As a result of that, no amount of fighting with the RADIUS configuration will help. So all of the time you put into configuring "Login-Server" was wasted.
I mean, if it's even possible to do what we're trying to do.
Yes.
I will also note that I asked a number of questions in my last message, and you haven't answered any of them. Either you didn't understand them, or you don't think they're important.
Part of the reason this is so difficult for you is that you are fighting every attempt by anyone to help you. You're stuck on one particular mind-set that is preventing anyone from helping you, and preventing you from solving the problem. Until you give up that mindset, and let people help you, you won't solve the problem. You'll only get more and more frustrated.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Send a smile, make someone laugh, have some fun! Start now! http://www.freemessengeremoticons.ca/?icid=EMENCA122
Dan Gahlinger wrote:
I'm not fighting you at all.
<shrug> Having answered questions on this list for nearly a decade, I see patterns.
All of your answers previously were "read the documentation, it's there". well, it's not. definitely not.
The parts I was pointing you to were documented. Or, I was pointing you to other non-RADIUS documentation. i.e. PAM.
the pam_radius_auth link you gave me states: ... take a look at my config - /etc/pam.d/sshd
Which is different. Unfortunately, every distribution has their own "special" flavor of their PAM configuration. The documentation in pam_radius_auth is generic, and matches many commonly used configurations. If it doesn't, see: a) the documentation for your OS b) the generic PAM documentation i.e. configuring PAM to use pam_radius_auth is a... PAM issue. The best place to look for help is the PAM documentation, or a PAM list, or OS-specific help.
a "Default" radiusd install with NO changes (except server file as follows: 127.0.0.1 testing123 3
users in password file can login, but it doesn't seem to be using radius.
Then see the PAM documentation for debugging, and how to see if it's calling pam_radius_auth.
the documentation for pam is as clear as mud. did it mean to modify the login file like this: ... Modifying the "login" file affects only the "login" process. Not "sshd".
because that doesnt make any difference either. same result as with just sshd above
See the PAM documentation for debugging PAM. Once you have it calling pam_radius_auth, ask more questions here. Alan DeKok.
the pam_radius_auth documentation says to email YOU and refers to the radius mailing list, which is where I am. you are the author of that as well. There's no useful documentation on pam on the system, man pages are useless. I'll try to find a PAM mailing list. yes, I guess after decades you get tired of answering questions of newbies. I'd have thought this would all be well documented by now. oh well.
Date: Mon, 26 Nov 2007 22:48:11 +0100 From: aland@deployingradius.com To: freeradius-users@lists.freeradius.org Subject: Re: local ssh authentication via radius possible?
Dan Gahlinger wrote:
I'm not fighting you at all.
<shrug> Having answered questions on this list for nearly a decade, I see patterns.
All of your answers previously were "read the documentation, it's there". well, it's not. definitely not.
The parts I was pointing you to were documented. Or, I was pointing you to other non-RADIUS documentation. i.e. PAM.
the pam_radius_auth link you gave me states: ... take a look at my config - /etc/pam.d/sshd
Which is different. Unfortunately, every distribution has their own "special" flavor of their PAM configuration. The documentation in pam_radius_auth is generic, and matches many commonly used configurations. If it doesn't, see:
a) the documentation for your OS b) the generic PAM documentation
i.e. configuring PAM to use pam_radius_auth is a... PAM issue. The best place to look for help is the PAM documentation, or a PAM list, or OS-specific help.
a "Default" radiusd install with NO changes (except server file as follows: 127.0.0.1 testing123 3
users in password file can login, but it doesn't seem to be using radius.
Then see the PAM documentation for debugging, and how to see if it's calling pam_radius_auth.
the documentation for pam is as clear as mud. did it mean to modify the login file like this: ... Modifying the "login" file affects only the "login" process. Not "sshd".
because that doesnt make any difference either. same result as with just sshd above
See the PAM documentation for debugging PAM. Once you have it calling pam_radius_auth, ask more questions here.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Express yourself with free Messenger emoticons. Get them today! http://www.freemessengeremoticons.ca/?icid=EMENCA122
Dan Gahlinger wrote:
the pam_radius_auth documentation says to email YOU and refers to the radius mailing list, which is where I am. you are the author of that as well.
And I'm not the author of the PAM system. If you can get PAM to call the module, ask questions here. If not, ask questions on a PAM list.
There's no useful documentation on pam on the system, man pages are useless.
Then complain to the PAM people.
I'll try to find a PAM mailing list.
That's what I've been trying to tell you...
yes, I guess after decades you get tired of answering questions of newbies.
I'm resigned to the fact that some people just don't want to be helped. Alan DeKok.
Login-Service is set to "TCP-Clear" now,
Leave just username and password. Delete all the rest for that user. You don't need that.
and the log file produces only this: Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 12:43:45 2007 : Info: Ready to process requests.
and nothing else. No other logs anywhere, not even a failed "ssh" log in messages, warn, etc.
Which is good. It's a step in the right direction - at least users file isn't broken anymore. Now send a request to it. First use radtest. Then try PAM. Ivan Kalik Kalik Informatika ISP
if I do that, I get this: radtest testing callme 127.0.0.1 10 testing123 Sending Access-Request of id 196 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "callme" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Re-sending Access-Request of id 196 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "callme" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=196, length=20 users config for that test is just this: testing Cleartext-Password := "callme"
To: freeradius-users@lists.freeradius.org Subject: RE: local ssh authentication via radius possible? Date: Mon, 26 Nov 2007 21:58:00 +0100 From: tnt@kalik.co.yu
Login-Service is set to "TCP-Clear" now,
Leave just username and password. Delete all the rest for that user. You don't need that.
and the log file produces only this: Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 12:43:45 2007 : Info: Ready to process requests.
and nothing else. No other logs anywhere, not even a failed "ssh" log in messages, warn, etc.
Which is good. It's a step in the right direction - at least users file isn't broken anymore. Now send a request to it. First use radtest. Then try PAM.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ R U Ready for Windows Live Messenger Beta 8.5? Try it today! http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
Run server in debug mode and post the output. Open one session for radtest and another for radiusd -X. Ivan Kalik Kalik Informatika ISP Dana 26/11/2007, "Dan Gahlinger" <dgahling@hotmail.com> piše:
if I do that, I get this:
radtest testing callme 127.0.0.1 10 testing123 Sending Access-Request of id 196 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "callme" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 Re-sending Access-Request of id 196 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "callme" NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=196, length=20
users config for that test is just this: testing Cleartext-Password := "callme"
To: freeradius-users@lists.freeradius.org Subject: RE: local ssh authentication via radius possible? Date: Mon, 26 Nov 2007 21:58:00 +0100 From: tnt@kalik.co.yu
Login-Service is set to "TCP-Clear" now,
Leave just username and password. Delete all the rest for that user. You don't need that.
and the log file produces only this: Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Nov 26 12:43:45 2007 : Info: Ready to process requests.
and nothing else. No other logs anywhere, not even a failed "ssh" log in messages, warn, etc.
Which is good. It's a step in the right direction - at least users file isn't broken anymore. Now send a request to it. First use radtest. Then try PAM.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ R U Ready for Windows Live Messenger Beta 8.5? Try it today! http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
On Nov 26, 2007 10:55 AM, Dan Gahlinger <dgahling@hotmail.com> wrote:
there is a lot of documentation missing. for example, when users are using "SSH" what's the "Login-Service" supposed to be? setting it to "SSH" doesn't work.
so many unanswered questions about this. with SSH we don't want to assign the user an IP address so I just used "Login-IP-Host" and Service-Type "Login-User"
radiusd also complains unknown module "files"
this could really use a "newbie" setup guide with examples....
http://www.howtoforge.com/configuring-ssh-to-use-freeradius-and-wikid-for-tw... This guide will essentially show you how to allow users to ssh to a box using a freeradius server on that same box, which I think is your goal. It sound like you have 'over-configured' something along the way. For example, I would drop the "Login-IP-Host" accounting piece until you've got the basics running. hth, nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication
participants (4)
-
Alan DeKok -
Dan Gahlinger -
Nick Owen -
tnt@kalik.co.yu