Linux PAM Authentication failed: Non-Local users
Hello, I'm sure my query might have already been discussed. But couldnt search the mailing list. Can anyone please show pointers or answer this? I'm trying to perform Radius based authentication of any guest user using Linux PAM module 1.0 As radius client, pam_radius-1.3.17 plugin is used and freeradius server is used as Radius Server. I have performed the Radius client and server configurations according to the guidelines. I added the radius entry in /etc/pam.d/sshd: #%PAM-1.0 auth sufficient /lib/security/pam_radius_auth.so debug While i am trying of perform authentication of users, following are the outcomes depending upon user (trying to login) is locally configured or not. Users are trying to log-in via ssh. Both Users A and B are configured in Radius Server 1. If user A (locally configured in Linux M/C) tries to login, then Linux PAM gets the user/password information and send it to radius server. Radius Server authenticates the user/password in its database and sends successful acknowledgement to linux m/c. User is allowed to login. 2. If user B (not configured in Linux M/C) login, then Authentication is being rejected by Radius Server. Radius Server logs are showing that password in either malformed/incorrect ********************************************************************************************************************************************************************************************************************* Radius Server Logs: rad_recv: Access-Request packet from host 127.0.0.1:27138, id=117, length=91 User-Name = "abcd" User-Password = "\010\n\INCORRECT" NAS-IP-Address = 172.21.142.4 NAS-Identifier = "linux" NAS-Port = 26113 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "172.21.142.140" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "abcd", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [abcd/\010\n\INCORRECT] (from client localhost port 26113 cli 172.21.142.140) WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! ********************************************************************************************************************************************************************************************************************* SSHD Logs: May 27 13:14:07 localho sshd[26113]: debug1: PAM: initializing for "abcd" May 27 13:14:07 localho sshd[26113]: debug1: PAM: setting PAM_RHOST to "172.21.142.140" May 27 13:14:07 localho sshd[26113]: debug1: PAM: setting PAM_TTY to "ssh" May 27 13:14:09 localho sshd[26113]: pam_radius_auth: Got user name abcd May 27 13:14:09 localho sshd[26113]: pam_radius_auth: Sending RADIUS request code 1 May 27 13:14:09 localho sshd[26113]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -1768845152. May 27 13:14:10 localho sshd[26113]: pam_radius_auth: RADIUS server 127.0.0.1 failed to respond May 27 13:14:10 localho sshd[26113]: pam_radius_auth: All RADIUS servers failed to respond. May 27 13:14:10 localho sshd[26113]: pam_radius_auth: authentication failed May 27 13:14:10 localho sshd(pam_unix)[26113]: check pass; user unknown May 27 13:14:10 localho sshd(pam_unix)[26113]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.142.140 May 27 13:14:13 localho sshd[26113]: debug1: PAM: password authentication failed for an illegal user: Authentication failure May 27 13:14:13 localho sshd[26113]: Failed password for invalid user abcd from ::ffff:172.21.142.140 port 36124 ssh2 ********************************************************************************************************************************************************************************************************************* After reading through couple of forums, i got the hint this is the way PAM works. Linux PAM has restriction to have user-id configured locally on Linux M/C for successful Radius Authentication But if we have the case of thousands of guest users, then it is not possible to add every user in machine itself. I am willing to know: 1. Is this is the way how PAM works. Is this limitation is present in PAM 2. I am using Linux PAM 1.0. Is there any patch/fix available in higher version of PAM? 3. Is there any way to overcome this issue by using some other libpam-radius-auth plugin. Though i do not think it is Radius client plugin issue. It will be really helpful if you can help/suggest me in this regards. Regards, Anand Neeli
On Jun 29, 2017, at 9:48 AM, Anand Neeli <anand.neeli@gmail.com> wrote:
Hello But couldnt search the mailing list. Can anyone please show pointers or answer this? I'm trying to perform Radius based authentication of any guest user using Linux PAM module 1.0
The one thing you need to know is that PAM does name/password checking only. You still need something else to supply UID / GID / home directory, etc.
1. If user A (locally configured in Linux M/C) tries to login, then Linux PAM gets the user/password information and send it to radius server. Radius Server authenticates the user/password in its database and sends successful acknowledgement to linux m/c. User is allowed to login. 2. If user B (not configured in Linux M/C) login, then Authentication is being rejected by Radius Server. Radius Server logs are showing that password in either malformed/incorrect
No. It's showing that the password is this:
User-Password = "\010\n\INCORRECT"
i.e. the PAM RADIUS module gets *that string* as the password, and sends it to the RADIUS server. The issue is that *another* PAM module is checking for local users, and mashing the password to that string if the user isn't found. And even if you did get that fixed, PAM doesn't support UID / GID / etc. So using RADIUS to authenticate random users still won't work. Alan DeKok.
And even if you did get that fixed, PAM doesn't support UID / GID / etc. So using RADIUS to authenticate random users still won't work.
Is there any workaround or any other way to fix this? is this a drawback with linux pam? Thanks, Anand Neeli On Thu, Jun 29, 2017 at 7:57 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 29, 2017, at 9:48 AM, Anand Neeli <anand.neeli@gmail.com> wrote:
Hello But couldnt search the mailing list. Can anyone please show pointers or answer this? I'm trying to perform Radius based authentication of any guest user using Linux PAM module 1.0
The one thing you need to know is that PAM does name/password checking only.
You still need something else to supply UID / GID / home directory, etc.
1. If user A (locally configured in Linux M/C) tries to login, then Linux PAM gets the user/password information and send it to radius server. Radius Server authenticates the user/password in its database and sends successful acknowledgement to linux m/c. User is allowed to login. 2. If user B (not configured in Linux M/C) login, then Authentication is being rejected by Radius Server. Radius Server logs are showing that password in either malformed/incorrect
No. It's showing that the password is this:
User-Password = "\010\n\INCORRECT"
i.e. the PAM RADIUS module gets *that string* as the password, and sends it to the RADIUS server.
The issue is that *another* PAM module is checking for local users, and mashing the password to that string if the user isn't found.
And even if you did get that fixed, PAM doesn't support UID / GID / etc. So using RADIUS to authenticate random users still won't work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Say, if i create a generic user(username: remote) for non-local accounts. I'm trying to figure out if i can load user remote profile and authenticate non-local users with radius. if i can create a PAM module that loads the “remote” user. This module would be configured after “account pam_unix.so” as “account pam_<name>.so” Can anyone suggest/foresee any problems with this approach? Thanks, Anand Neeli On Thu, Jun 29, 2017 at 10:14 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Jun 29, 2017, at 11:37 AM, Anand Neeli <anand.neeli@gmail.com> wrote:
Is there any workaround or any other way to fix this? is this a drawback with linux pam?
As I said: PAM doesn't support UID / GID / home directory, etc.
You will need to use something else.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Jun 30, 2017, at 2:46 AM, Anand Neeli <anand.neeli@gmail.com> wrote:
Say, if i create a generic user(username: remote) for non-local accounts. I'm trying to figure out if i can load user remote profile and authenticate non-local users with radius. if i can create a PAM module that loads the “remote” user. This module would be configured after “account pam_unix.so” as “account pam_<name>.so”
Can anyone suggest/foresee any problems with this approach?
Have you been reading my messages? Or are you just posting random thoughts to the list and ignoring all responses? Alan Dekok.
participants (2)
-
Alan DeKok -
Anand Neeli