Hi, I am new to freeRadius server. I am trying to authorize the ssh and telnet login users of my Redhat Linux machine using freeRadius server. I am able to test Access-Accept and Access-Reject with right and wrong credentials respectively by configuring the file '/etc/pam.d/sshd' with entry pam_radius_auth.so. But I do not know how to achieve and test the Access-Challenge concept. I mean what type of input will result in Access Challenge (I know it happens when we provide partial login information but not sure how to achieve with login in real time)? Please help me with some solutions in achieving Access Challenge. Thanks in advance. Regards, Dhandapani -- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24025... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I am trying to authorize the ssh and telnet login users of my Redhat Linux machine using freeRadius server.
I am able to test Access-Accept and Access-Reject with right and wrong credentials respectively by configuring the file '/etc/pam.d/sshd' with entry pam_radius_auth.so.
But I do not know how to achieve and test the Access-Challenge concept.
Do you need to? ssh and telnet supplicants tend not to use protocols with challenge-response exchange.
I mean what type of input will result in Access Challenge (I know it happens when we provide partial login information but not sure how to achieve with login in real time)?
Send an eap request (eapol_test). Ivan Kalik Kalik Informatika ISP
Thanks Ivan for the clarification. I am just setting up the tool eapol_test to test it. Thanks. But I am also investigating whether it is possible to achieve Access Challenge with ssh/telnet without using any other tools. Could you please help if you have done it before? And also may I know why it is not advised to support Access Challenge for ssh or telnet. Regards, Dhandapani Ivan Kalik wrote:
I am trying to authorize the ssh and telnet login users of my Redhat Linux machine using freeRadius server.
I am able to test Access-Accept and Access-Reject with right and wrong credentials respectively by configuring the file '/etc/pam.d/sshd' with entry pam_radius_auth.so.
But I do not know how to achieve and test the Access-Challenge concept.
Do you need to? ssh and telnet supplicants tend not to use protocols with challenge-response exchange.
I mean what type of input will result in Access Challenge (I know it happens when we provide partial login information but not sure how to achieve with login in real time)?
Send an eap request (eapol_test).
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24033... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Thanks Ivan. Not sure how ssh/telnet will handle. But I assume, other than password it may request for additional RSA key generated to access a particular machine or something similar to that. Regards, Dhandapani Ivan Kalik wrote:
And also may I know why it is not advised to support Access Challenge for ssh or telnet.
Nothing to do with what's advisable but with what's available. Will pam module on ssh/telnet server be able to handle a challenge and know what to do with it?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24035... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Thanks Ivan. Not sure how ssh/telnet will handle. But I assume, other than password it may request for additional RSA key generated to access a particular machine or something similar to that. Also, does NAS need any installation to support Access-Challenge like CHAP? Regards, Dhandapani Ivan Kalik wrote:
And also may I know why it is not advised to support Access Challenge for ssh or telnet.
Nothing to do with what's advisable but with what's available. Will pam module on ssh/telnet server be able to handle a challenge and know what to do with it?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24040... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Not sure how ssh/telnet will handle.
That depends on your pam radius module. I believe freeradius hosted module can handle it. Don't know for others.
But I assume, other than password it may request for additional RSA key generated to access a particular machine or something similar to that.
Why? Server already knows it's RSA key. This has nothing to do with user authentication.
Also, does NAS need any installation to support Access-Challenge like CHAP?
It needs pam module that supports it. BTW chap doesn't have Access-Challenge in the authentication process. Nor mschap. Ivan Kalik Kalik Informatika ISP
Thank you very much Ivan for your detailed response. I will check it and respond you. Regards, Dhandapani Ivan Kalik wrote:
Not sure how ssh/telnet will handle.
That depends on your pam radius module. I believe freeradius hosted module can handle it. Don't know for others.
But I assume, other than password it may request for additional RSA key generated to access a particular machine or something similar to that.
Why? Server already knows it's RSA key. This has nothing to do with user authentication.
Also, does NAS need any installation to support Access-Challenge like CHAP?
It needs pam module that supports it. BTW chap doesn't have Access-Challenge in the authentication process. Nor mschap.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Access-Challenge-in-freeRadius-server-tp24025860p24048... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (2)
-
Ivan Kalik -
kpani