Getting error only when *not* running in debug mode....
Hi all, I've been a happy FreeRadius user for over 3 years now. I have had 3.0.13 running for that entire time with no complaints. (I've been using it w/ a Sonicwall to do 2-factor authentication for VPN login.) Recently, I've been revisiting the installation, and I thought, rather than making changes to a very stable and reliable system, I'd spin up a new installation with the latest version of FreeRadius (3.0.23). So, my new server is running Ubuntu 20.04 and using the NetworkRadius packages to install freeradius 3.0.23. I have also installed libpam-google-authenticatior, and integrated it according to these steps: https://networkjutsu.com/freeradius-google-authenticator/ This seems to have worked fine. I was running freeradius manually, with debug (-X) enabled, and everything seemed to be working fine. sudo /usr/sbin/freeradius -X So, I killed freeradius (CTRL-C), and tried: sudo service freeradius start It started up fine. But, now when I try authenticating (using radtest): radtest mbobak redacted123456 localhost:1812 0 'redacted' I get Access-Rejected Looking at the log file, /var/log/freeradius/radius.log, I see: Wed Jun 16 22:42:54 2021 : Info: Ready to process requests Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: PAM conversation failed Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: Error "Read-only file system" while writing config Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: pam_authenticate failed: Authentication failure Wed Jun 16 22:43:27 2021 : Auth: (0) Login incorrect (pam: PAM conversation failed): [mbobak/Akosama30404615] (from client localhost port 0) The only read-only filesystems do not appear to be relevant to the freeradius installation: mount | grep ro, tmpfs on /sys/fs/cgroup type tmpfs (ro,nosuid,nodev,noexec,mode=755) /var/lib/snapd/snaps/amazon-ssm-agent_3552.snap on /snap/amazon-ssm-agent/3552 type squashfs (ro,nodev,relatime,x-gdu.hide) /var/lib/snapd/snaps/core18_1997.snap on /snap/core18/1997 type squashfs (ro,nodev,relatime,x-gdu.hide) /var/lib/snapd/snaps/lxd_19647.snap on /snap/lxd/19647 type squashfs (ro,nodev,relatime,x-gdu.hide) /var/lib/snapd/snaps/snapd_12057.snap on /snap/snapd/12057 type squashfs (ro,nodev,relatime,x-gdu.hide) /var/lib/snapd/snaps/core18_2066.snap on /snap/core18/2066 type squashfs (ro,nodev,relatime,x-gdu.hide) /var/lib/snapd/snaps/lxd_20326.snap on /snap/lxd/20326 type squashfs (ro,nodev,relatime,x-gdu.hide) /var/lib/snapd/snaps/snapd_12159.snap on /snap/snapd/12159 type squashfs (ro,nodev,relatime,x-gdu.hide) But, even though it's reporting a read-only filesystem error, I'm thinking it could be a permission problem on some file? But, I'm really baffled by the system working when I run freeradius manually, but only errors when I run it from the service. Any help would be appreciated. Thanks, -Mark
On Jun 16, 2021, at 7:13 PM, Mark J. Bobak <mark@bobak.net> wrote:
So, my new server is running Ubuntu 20.04 and using the NetworkRadius packages to install freeradius 3.0.23. I have also installed libpam-google-authenticatior, and integrated it according to these steps: https://networkjutsu.com/freeradius-google-authenticator/
3.0.23 includes a TOTP module. Which means you can out the TOTP secrets into a database, or pretty much anywhere else you want. And you don't need to use PAM. And, that users don't need to have login accounts.
This seems to have worked fine. I was running freeradius manually, with debug (-X) enabled, and everything seemed to be working fine. sudo /usr/sbin/freeradius -X
i.e. as root.
So, I killed freeradius (CTRL-C), and tried: sudo service freeradius start It started up fine.
And runs as user "radiusd".
But, now when I try authenticating (using radtest): radtest mbobak redacted123456 localhost:1812 0 'redacted'
I get Access-Rejected Looking at the log file, /var/log/freeradius/radius.log, I see: Wed Jun 16 22:42:54 2021 : Info: Ready to process requests Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: PAM conversation failed Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: Error "Read-only file system" while writing config
That seems rather crazy, TBH. PAM shouldn't be writing *anything* during the normal course of operations.
But, even though it's reporting a read-only filesystem error, I'm thinking it could be a permission problem on some file?
Yes. User "radiusd" doesn't have permission to write the files.
But, I'm really baffled by the system working when I run freeradius manually, but only errors when I run it from the service.
User "root" has permission to write the files. You'll have to find out which file / directory is the problem, and then change the permissions. I'm sure that information is buried somewhere in the PAM documentation. It's outside of the scope of FreeRADIUS. Alan DeKok.
Ok, I guess I'll have to do some research on PAM. But I tried 'sudo service freeradius debug', and it started in debug mode, and when I tried radtest, it worked. So, I checked how freeradius is running (root or freerad) and it's still running as 'freerad': ubuntu@radius1:~$ ps -ef|grep freerad root 8784 8497 0 14:19 pts/0 00:00:00 sudo service freeradius debug root 8785 8784 0 14:19 pts/0 00:00:00 /bin/sh /etc/init.d/freeradius debug freerad 8801 8785 0 14:19 pts/0 00:00:00 /usr/sbin/freeradius -X ubuntu 8812 8627 0 14:20 pts/1 00:00:00 grep --color=auto freerad So, I'm not sure what's going on here. Running as root works. Running as freerad fails. Running as freerad w/ debug also works. Help? -Mark On Thu, Jun 17, 2021 at 7:02 AM Alan DeKok <aland@deployingradius.com> wrote:
On Jun 16, 2021, at 7:13 PM, Mark J. Bobak <mark@bobak.net> wrote:
So, my new server is running Ubuntu 20.04 and using the NetworkRadius packages to install freeradius 3.0.23. I have also installed libpam-google-authenticatior, and integrated it according to these steps: https://networkjutsu.com/freeradius-google-authenticator/
3.0.23 includes a TOTP module. Which means you can out the TOTP secrets into a database, or pretty much anywhere else you want. And you don't need to use PAM. And, that users don't need to have login accounts.
This seems to have worked fine. I was running freeradius manually, with debug (-X) enabled, and everything seemed to be working fine. sudo /usr/sbin/freeradius -X
i.e. as root.
So, I killed freeradius (CTRL-C), and tried: sudo service freeradius start It started up fine.
And runs as user "radiusd".
But, now when I try authenticating (using radtest): radtest mbobak redacted123456 localhost:1812 0 'redacted'
I get Access-Rejected Looking at the log file, /var/log/freeradius/radius.log, I see: Wed Jun 16 22:42:54 2021 : Info: Ready to process requests Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: PAM conversation failed Wed Jun 16 22:43:27 2021 : ERROR: (0) pam: ERROR: Error "Read-only file system" while writing config
That seems rather crazy, TBH. PAM shouldn't be writing *anything* during the normal course of operations.
But, even though it's reporting a read-only filesystem error, I'm thinking it could be a permission problem on some file?
Yes. User "radiusd" doesn't have permission to write the files.
But, I'm really baffled by the system working when I run freeradius manually, but only errors when I run it from the service.
User "root" has permission to write the files.
You'll have to find out which file / directory is the problem, and then change the permissions. I'm sure that information is buried somewhere in the PAM documentation. It's outside of the scope of FreeRADIUS.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 17, 2021, at 10:23 AM, Mark J. Bobak <mark@bobak.net> wrote:
Ok, I guess I'll have to do some research on PAM.
Yup. TBH, I've found RADIUS easier than some of the PAM stuff.
But I tried 'sudo service freeradius debug', and it started in debug mode, and when I tried radtest, it worked. So, I checked how freeradius is running (root or freerad) and it's still running as 'freerad': ubuntu@radius1:~$ ps -ef|grep freerad root 8784 8497 0 14:19 pts/0 00:00:00 sudo service freeradius debug root 8785 8784 0 14:19 pts/0 00:00:00 /bin/sh /etc/init.d/freeradius debug freerad 8801 8785 0 14:19 pts/0 00:00:00 /usr/sbin/freeradius -X ubuntu 8812 8627 0 14:20 pts/1 00:00:00 grep --color=auto freerad
So, I'm not sure what's going on here. Running as root works. Running as freerad fails. Running as freerad w/ debug also works.
It's OS / PAM / permissions. This really isn't an issue for FreeRADIUS, it's the limitation of the system on which FreeRADIUS is running. My $0.02 would just be to dump PAM, and use the totp module which is now included in 3.0.22+. It works, and it doesn't have all of these horrible issues. Alan DeKok.
Hi Alan, Ok, I took your advice. I have started over, and not touched PAM at all. I now have: Ubuntu 20.04.2 LTS freeradius 3.0.23 mysql 8.0.25 daloRadius 1.1-2 And, so far, so good. I have a user defined in MySQL, and radtest will return an Access-Accept, so that's good, but there is no totp integration yet. I'm a little lost on how to configure totp, and while I'm guessing it's well documented somewhere, my Google-fu seems to be lacking. I can't seem to find anything on totp module configuration. Can someone point me in the right direction? Thanks, -Mark On Thu, Jun 17, 2021 at 10:57 AM Alan DeKok <aland@deployingradius.com> wrote:
On Jun 17, 2021, at 10:23 AM, Mark J. Bobak <mark@bobak.net> wrote:
Ok, I guess I'll have to do some research on PAM.
Yup. TBH, I've found RADIUS easier than some of the PAM stuff.
But I tried 'sudo service freeradius debug', and it started in debug mode, and when I tried radtest, it worked. So, I checked how freeradius is running (root or freerad) and it's still running as 'freerad': ubuntu@radius1:~$ ps -ef|grep freerad root 8784 8497 0 14:19 pts/0 00:00:00 sudo service freeradius debug root 8785 8784 0 14:19 pts/0 00:00:00 /bin/sh /etc/init.d/freeradius debug freerad 8801 8785 0 14:19 pts/0 00:00:00 /usr/sbin/freeradius -X ubuntu 8812 8627 0 14:20 pts/1 00:00:00 grep --color=auto freerad
So, I'm not sure what's going on here. Running as root works. Running as freerad fails. Running as freerad w/ debug also works.
It's OS / PAM / permissions. This really isn't an issue for FreeRADIUS, it's the limitation of the system on which FreeRADIUS is running.
My $0.02 would just be to dump PAM, and use the totp module which is now included in 3.0.22+. It works, and it doesn't have all of these horrible issues.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jun 18, 2021, at 2:22 PM, Mark J. Bobak <mark@bobak.net> wrote:
And, so far, so good. I have a user defined in MySQL, and radtest will return an Access-Accept, so that's good, but there is no totp integration yet.
OK.
I'm a little lost on how to configure totp, and while I'm guessing it's well documented somewhere, my Google-fu seems to be lacking. I can't seem to find anything on totp module configuration. Can someone point me in the right direction?
Read mods-available/totp, and sites-available/totp The documentation for the module configuration is in the module configuration files. Alan DeKok.
participants (3)
-
Alan DeKok -
Mark J. Bobak -
Thor Spruyt