ssh authentication failed problem use freeradius & pam_radius
Hi everyone, I am trying to use pam_radius to authenticate SSH login.My system is Centos 5.6 64bit. When I try to authenticate with ssh but failed,I am sure the shared secret is correct. Freeradius got the following logs: rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "? INCORRECT" [pap] Using clear text password "1111" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject And by the way,is it possible to create a ssh user on NAS after the first time successful authentication.
小牧 wrote:
I am trying to use pam_radius to authenticate SSH login.My system is Centos 5.6 64bit. When I try to authenticate with ssh but failed,I am sure the shared secret is correct.
The shared secret is correct.
[pap] login attempt with password "? INCORRECT"
This is an issue with PAM on the client machine. Some other module is doing password checking. When the password check fails, it re-sets the password to "INCORRECT". That password is then sent to the pam_radius module. Go fix the client so that the PAM modules don't change the password. Alan DeKok.
Is there anyone to contribute this fix? -- View this message in context: http://freeradius.1045715.n5.nabble.com/ssh-authentication-failed-problem-us... Sent from the FreeRadius - User mailing list archive at Nabble.com.
The pam_radius_auth module is installed on linux, and if the user-A is not created in local and only existed in remote radius server. In following function() in pam_radius_auth.c, the *password always is INCORRECT +++++++++++++code+++++++++++++ static int rad_converse(pam_handle_t *pamh, int msg_style, char *message, char **password) { CONST struct pam_conv *conv; struct pam_message resp_msg; CONST struct pam_message *msg[1]; struct pam_response *resp = NULL; int retval; resp_msg.msg_style = msg_style; resp_msg.msg = message; msg[0] = &resp_msg; /* grab the password */ retval = pam_get_item(pamh, PAM_CONV, (CONST void **) &conv); PAM_FAIL_CHECK; retval = conv->conv(1, msg, &resp,conv->appdata_ptr); < it seems the resp is saved some useful info. PAM_FAIL_CHECK; if (password) { /* assume msg.type needs a response */ /* I'm not sure if this next bit is necessary on Linux */ _pam_log(LOG_ERR, "enter in"); #ifdef sun /* NULL response, fail authentication */ if ((resp == NULL) || (resp->resp == NULL)) { return PAM_SYSTEM_ERR; } #endif *password = resp->resp; <<<< saved the retrun value to *password. (value is INCORRECT) free(resp); } return PAM_SUCCESS; } +++++++++++++code+++++++++++++ Not familiar with this module, can anybody give some instrutions? -- View this message in context: http://freeradius.1045715.n5.nabble.com/ssh-authentication-failed-problem-us... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On Thu, May 24, 2012 at 9:44 PM, sam <jianxueqd1@alcatel-lucent.com> wrote:
The pam_radius_auth module is installed on linux, and if the user-A is not created in local and only existed in remote radius server. In following function() in pam_radius_auth.c, the *password always is INCORRECT
That is the expected behavior. For pam to work, the user needs to exist in whatever user db it recognize (in this case, local user).
Not familiar with this module, can anybody give some instrutions?
Had you read the previous messages, you'd know that if you want to modify something, it'd be in pam, and NOT in pam_radius plugin. Possibly by using nss_mysql and getting it to use the same data that FR is using (with the help of views, or whatever). But since you decide to ignore it anyway and insist on focusing your efforts on pam_radius_auth.c, you're pretty much on your own. -- Fajar
participants (4)
-
Alan DeKok -
Fajar A. Nugraha -
sam -
小牧