FreeRadius autoreply the access chanllenge
I setup the pam_radius_auth.so in pam.d/sshd to verify the user using the remote Radius server. As the protocol, When used in an Access-Challenge, it MAY indicate a dialog message to prompt the user for a response. like following flow 1) server sends the access-challenge message with reply-message YOUR PASSWORD HAS EXPIRED. PLEASE ENTER THE NEW PASSWORD 2) client sedns back the access-Request message. 3) server sends another access-challenge message with reply-message PLEASE RE-ENTER THE NEW PASSWORD AGAIN FOR VERIFICATION 4) client sedns back the access-Request message again. I think the message flow is right, but at the point-2 and point-4, the prompt should be popped and ask us to input the passwd. However, our freeradius sends the access-Request automatically. Just checked the code, and not find the problem when doing access-chanllenge. the function rad_converse() calls pam_get_item(). I think it is only place to suspect, can this function pop the prompt? anyone encounter this problem? /* It's full challenge-response, we should have echo on */ retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, challenge, &resp2challenge); +++processing access-chanllenge code+++ while (response->code == PW_ACCESS_CHALLENGE) { attribute_t *a_state, *a_reply; char challenge[BUFFER_SIZE]; /* Now we do a bit more work: challenge the user, and get a response */ if (((a_state = find_attribute(response, PW_STATE)) == NULL) || ((a_reply = find_attribute(response, PW_REPLY_MESSAGE)) == NULL)) { /* Actually, State isn't required. */ _pam_log(LOG_ERR, "RADIUS Access-Challenge received with State or Reply-Message missing"); retval = PAM_AUTHINFO_UNAVAIL; goto error; } /* * Security fixes. */ if ((a_state->length <= 2) || (a_reply->length <= 2)) { _pam_log(LOG_ERR, "RADIUS Access-Challenge received with invalid State or Reply-Message"); retval = PAM_AUTHINFO_UNAVAIL; goto error; } memcpy(challenge, a_reply->data, a_reply->length - 2); challenge[a_reply->length - 2] = 0; DPRINT(LOG_DEBUG, "Got Prompt=%s",challenge); /* It's full challenge-response, we should have echo on */ retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, challenge, &resp2challenge); <<<<< here /* now that we've got a response, build a new radius packet */ build_radius_packet(request, user, resp2challenge, &config); /* request->code is already PW_AUTHENTICATION_REQUEST */ request->id++; /* one up from the request */ /* copy the state over from the servers response */ add_attribute(request, PW_STATE, a_state->data, a_state->length - 2); retval = talk_radius(&config, request, response, resp2challenge, NULL, 1); PAM_FAIL_CHECK; DPRINT(LOG_DEBUG, "Got response to challenge code %d", response->code); } +++code+++ +++log+++ May 28 23:12:13 sshd[20729]: pam_radius_auth: Sending RADIUS request code 1 May 28 23:12:13 sshd[20729]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -745295136. May 28 23:12:13 sshd[20729]: pam_radius_auth: Got RADIUS response code 11 May 28 23:12:13 sshd[20729]: pam_radius_auth: Got Prompt=YOUR PASSWORD HAS EXPIRED. PLEASE ENTER THE NEW PASSWORD: <<<< receive rely-message field May 28 23:12:13 sshd[20729]: pam_radius_auth: Got response to challenge code 11 May 28 23:12:13 sshd[20729]: pam_radius_auth: Got Prompt=PLEASE RE-ENTER THE NEW PASSWORD AGAIN FOR VERIFICATION: <<<< receive rely-message field May 28 23:12:18 sshd[20729]: pam_radius_auth: Got response to challenge code 3 May 28 23:12:18 sshd[20729]: pam_radius_auth: authentication failed +++log+++ -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-autoreply-the-access-chan... Sent from the FreeRadius - User mailing list archive at Nabble.com.
sam wrote:
I setup the pam_radius_auth.so in pam.d/sshd to verify the user using the remote Radius server.... I think the message flow is right, but at the point-2 and point-4, the prompt should be popped and ask us to input the passwd. However, our freeradius sends the access-Request automatically.
It's not FreeRADIUS. It's the pam_radius_auth module. The application needs to support showing the challenges. In this case, it's sshd. If sshd doesn't support challenges, then it won't work. Alan DeKok.
Thanks. i think i get the correct direction. just now checked the sshd_config. and i get following line # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no I think use flag ChallengeResponseAuthentication yes can help me. Since my radius server is down, i can verify this assmupation tomorrow. Thanks a lot. -- View this message in context: http://freeradius.1045715.n5.nabble.com/FreeRadius-autoreply-the-access-chan... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
Subject: Re: FreeRadius autoreply the access chanllenge
sam wrote:
I setup the pam_radius_auth.so in pam.d/sshd to verify the user using the remote Radius server.... I think the message flow is right, but at the point-2 and point-4, the prompt should be popped and ask us to input the passwd. However, our freeradius sends the access-Request automatically.
It's not FreeRADIUS. It's the pam_radius_auth module.
The application needs to support showing the challenges. In this case, it's sshd. If sshd doesn't support challenges, then it won't work.
Probably need to set 'ChallengeResponseAuthentication yes' in sshd config otherwise it just says 'Password:'. tamas
participants (3)
-
Alan DeKok -
sam -
Tamás Becz