Hi: We have a client running FreeRadius 2.1.6 on a Linux box authenticating against shadow passwords. I've gone over the radiusd.conf and it appears that the expire module is enabled by default in the global config (there are no virtual servers here). However, FreeRadius appears to be ignoring this attribute and authenticating users with expired passwords anyway. I tried expiring the account and that worked, but it would be much better to have it respect expired passwords. Is there something I missed? TIA, James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
We have a client running FreeRadius 2.1.6 on a Linux box authenticating against shadow passwords. I've gone over the radiusd.conf and it appears that the expire module is enabled by default in the global config (there are no virtual servers here). However, FreeRadius appears to be ignoring this attribute and authenticating users with expired passwords anyway. I tried expiring the account and that worked, but it would be much better to have it respect expired passwords.
Debug? Ivan Kalik Kalik Informatika ISP
On Wed, 30 Sep 2009, Ivan Kalik wrote:
We have a client running FreeRadius 2.1.6 on a Linux box authenticating against shadow passwords. I've gone over the radiusd.conf and it appears that the expire module is enabled by default in the global config (there are no virtual servers here). However, FreeRadius appears to be ignoring this attribute and authenticating users with expired passwords anyway. I tried expiring the account and that worked, but it would be much better to have it respect expired passwords.
Debug?
Ivan Kalik
Ok, here's the output running with "-xx" debugging: group = wheel user = root including dictionary file /usr/etc/raddb/dictionary main { prefix = "/usr" localstatedir = "/usr/var" logdir = "/var/log/radius" libdir = "/usr/lib" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "DELETED" nastype = "other" } client 216.1.12.66 { require_message_authenticator = no secret = "DELETED" shortname = "cisco_pptp" nastype = "cisco" } client 192.168.3.36 { require_message_authenticator = no secret = "DELETED" shortname = "s036" nastype = "other" } client 216.1.12.74 { require_message_authenticator = no secret = "DELETED" shortname = "utopia" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Ignoring EAP-Type/tls because we do not have OpenSSL support. Ignoring EAP-Type/ttls because we do not have OpenSSL support. Ignoring EAP-Type/peap because we do not have OpenSSL support. Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/etc/raddb/users" acctusersfile = "/usr/etc/raddb/acct_users" preproxy_usersfile = "/usr/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/usr/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/etc/raddb/huntgroups" hints = "/usr/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NA S-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d " header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_ippool Module: Instantiating medium_pool ippool medium_pool { session-db = "/usr/etc/raddb/db.medium_ippool" ip-index = "/usr/etc/raddb/db.medium_ipindex" key = "%{NAS-IP-Address} %{NAS-Port}" range-start = 172.16.31.101 range-stop = 172.16.31.253 netmask = 255.255.255.0 cache-size = 251 override = yes maximum-timeout = 0 } Module: Instantiating super_pool ippool super_pool { session-db = "/usr/etc/raddb/db.super_ippool" ip-index = "/usr/etc/raddb/db.super_ipindex" key = "%{NAS-IP-Address} %{NAS-Port}" range-start = 172.16.30.101 range-stop = 172.16.30.253 netmask = 255.255.255.0 cache-size = 251 override = yes maximum-timeout = 0 } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/usr/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 300 cleanup_delay = 5 max_queue_size = 65536 } Thread spawned new child 1. Total threads in pool: 1 Thread spawned new child 2. Total threads in pool: 2 Thread spawned new child 3. Total threads in pool: 3 Thread spawned new child 4. Total threads in pool: 4 Thread spawned new child 5. Total threads in pool: 5 Thread pool initialized radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 Thread 1 waiting to be assigned a request Thread 2 waiting to be assigned a request Thread 5 waiting to be assigned a request Re-wait 1 Thread 4 waiting to be assigned a request Thread 3 waiting to be assigned a request } listen { type = "acct" ipaddr = * port = 0 Re-wait 1 Re-wait 5 Re-wait 4 Re-wait 3 Re-wait 1 Re-wait 2 } Re-wait 1 Re-wait 4 Re-wait 3 Re-wait 5 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Ready to process requests. Threads: total/active/spare threads = 5/0/5 Waking up in 0.9 seconds. Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns updated [files] users: Matched entry test at line 173 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "DELETED" [pap] Using CRYPT encryption. [pap] User authenticated successfully ++[pap] returns ok Login OK: [test] (from client cisco_pptp port 442) +- entering group post-auth {...} [medium_pool] Could not find Pool-Name attribute. ++[medium_pool] returns noop [super_pool] Could not find Pool-Name attribute. ++[super_pool] returns noop ++[exec] returns noop Finished request 0. Going to the next request Thread 1 waiting to be assigned a request Waking up in 4.0 seconds. Cleaning up request 0 ID 102 with timestamp +18 Ready to process requests. James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
Has anyone had any luck getting FreeRadius to recognise expired Linux system passwords as defined in /etc/login.defs ? sshd and imapd honors it, but FreeRadius does not. It appears enabled by default...is there anything else that needs to be done on the FreeRadius server config? On the NAS? TIA, On Wed, 30 Sep 2009, James Smallacombe wrote:
Hi:
We have a client running FreeRadius 2.1.6 on a Linux box authenticating against shadow passwords. I've gone over the radiusd.conf and it appears that the expire module is enabled by default in the global config (there are no virtual servers here). However, FreeRadius appears to be ignoring this attribute and authenticating users with expired passwords anyway. I tried expiring the account and that worked, but it would be much better to have it respect expired passwords.
Is there something I missed?
TIA,
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
On 10/06/2009 01:56 PM, James Smallacombe wrote:
Has anyone had any luck getting FreeRadius to recognise expired Linux system passwords as defined in /etc/login.defs ? sshd and imapd honors it, but FreeRadius does not. It appears enabled by default...is there anything else that needs to be done on the FreeRadius server config? On the NAS?
TIA,
On Wed, 30 Sep 2009, James Smallacombe wrote:
Hi:
We have a client running FreeRadius 2.1.6 on a Linux box authenticating against shadow passwords. I've gone over the radiusd.conf and it appears that the expire module is enabled by default in the global config (there are no virtual servers here). However, FreeRadius appears to be ignoring this attribute and authenticating users with expired passwords anyway. I tried expiring the account and that worked, but it would be much better to have it respect expired passwords.
Is there something I missed?
yes, the distinction between rlm_unix and rlm_pam rlm_unix bypasses the entire login mechanism and directly reads the shadow file, not only is this a security hazard but because it bypasses all the login checking you lose another layer of security as you've discovered. sshd and imapd work because they're properly configured to use pam. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
On Tue, 6 Oct 2009, John Dennis wrote:
On 10/06/2009 01:56 PM, James Smallacombe wrote:
Has anyone had any luck getting FreeRadius to recognise expired Linux system passwords as defined in /etc/login.defs ? sshd and imapd honors it, but FreeRadius does not. It appears enabled by default...is there anything else that needs to be done on the FreeRadius server config? On the NAS?
yes, the distinction between rlm_unix and rlm_pam
rlm_unix bypasses the entire login mechanism and directly reads the shadow file, not only is this a security hazard but because it bypasses all the login checking you lose another layer of security as you've discovered.
Thanks for your response...I had discarded the notion of using pam for this because of this warning in the radiusd.conf: # WARNING: On many systems, the system PAM libraries have # memory leaks! We STRONGLY SUGGEST that you do not # use PAM for authentication, due to those memory leaks. However, I did just try using this: Auth-Type = Pam For a test user, and got this in debug: [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = PAM WARNING: Unknown value specified for Auth-Type. Cannot perform requested action. Failed to authenticate the user. The module appears enabled in raddb/radiusd.conf and I did put the recommended entries into /etc/pam.d/radiusd. Is there something else? Thanks again! James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
James Smallacombe wrote:
Thanks for your response...I had discarded the notion of using pam for this because of this warning in the radiusd.conf:
That's historical. The libraries may have been fixed since then.
The module appears enabled in raddb/radiusd.conf and I did put the recommended entries into /etc/pam.d/radiusd.
Is there something else?
See raddb/sites-available/default. You need to un-comment "pam" from the "authenticate" section. Alan DeKok.
On Wed, 7 Oct 2009, Alan DeKok wrote:
James Smallacombe wrote:
Thanks for your response...I had discarded the notion of using pam for this because of this warning in the radiusd.conf:
That's historical. The libraries may have been fixed since then.
Good to know...it might be worthwhile to update the docs.
The module appears enabled in raddb/radiusd.conf and I did put the recommended entries into /etc/pam.d/radiusd.
Is there something else?
See raddb/sites-available/default. You need to un-comment "pam" from the "authenticate" section.
Ok...after doing that, I found from debug that rlm_pam wasn't installed by default like I thought it was, so I installed it, and after fiddling around with the PAM config, it's working fine now. Thanks again! James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
participants (4)
-
Alan DeKok -
Ivan Kalik -
James Smallacombe -
John Dennis