Question on pam_radius_auth module getting INCORRECT password
Hi, I am new to this. Please let me know if there is a better list to post this question. My system is running RHEL and using a separate FreeRadius server to authenticate ssh user logins. All regular user credentials are stored on the radius server. I have been trying to track down a wired problem. When a user is logging via ssh, the pam_radius_auth module would try to retrieve the password and send it to the radius server. But the password returned by the rad_converse() function is INCORRECT. I have done some searching and found suggestions that there might be something wrong with "other" module that is doing the password checking. My real question is how I can find out which module is the culprit. David
David Li wrote:
I am new to this. Please let me know if there is a better list to post this question.
It's an OK list.
I have been trying to track down a wired problem. When a user is logging via ssh, the pam_radius_auth module would try to retrieve the password and send it to the radius server. But the password returned by the rad_converse() function is INCORRECT.
I have done some searching and found suggestions that there might be something wrong with "other" module that is doing the password checking.
My real question is how I can find out which module is the culprit.
It should be simple. Look at the pam ssh file, and see which modules it's using. Then, delete them one by one until it works. But largely this is a PAM issue. I know very little about PAM, even after spending time reading the docs and programming it. Alan DeKok.
Hi, using selinux? Maybe selinux won't allow radiusd to use pam. I'm reasonably sure it will get in your way if set to enforcing (rhel default), just I don't know how. Regards... On 04/15/2014 01:50 AM, David Li wrote:
Hi,
I am new to this. Please let me know if there is a better list to post this question.
My system is running RHEL and using a separate FreeRadius server to authenticate ssh user logins. All regular user credentials are stored on the radius server.
I have been trying to track down a wired problem. When a user is logging via ssh, the pam_radius_auth module would try to retrieve the password and send it to the radius server. But the password returned by the rad_converse() function is INCORRECT.
I have done some searching and found suggestions that there might be something wrong with "other" module that is doing the password checking.
My real question is how I can find out which module is the culprit.
David
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
To check if SELINUX gets in the way, change the policy from enforcing to permissive: Type "setenforcing 0" on the command-line, then try the auth again. If that resolves the issue, SELINUX is interfering, and you will have to create a policy for it. There are several articles available (if you search Google) on how to generate SELINUX policies for software that is being blocked by it. Stefan -----Original Message----- From: freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=ja.net@lists.freeradius.org] On Behalf Of Josip Almasi Sent: 15 April 2014 09:57 To: freeradius-users@lists.freeradius.org Subject: Re: Question on pam_radius_auth module getting INCORRECT password Hi, using selinux? Maybe selinux won't allow radiusd to use pam. I'm reasonably sure it will get in your way if set to enforcing (rhel default), just I don't know how. Regards... On 04/15/2014 01:50 AM, David Li wrote:
Hi,
I am new to this. Please let me know if there is a better list to post this question.
My system is running RHEL and using a separate FreeRadius server to authenticate ssh user logins. All regular user credentials are stored on the radius server.
I have been trying to track down a wired problem. When a user is logging via ssh, the pam_radius_auth module would try to retrieve the password and send it to the radius server. But the password returned by the rad_converse() function is INCORRECT.
I have done some searching and found suggestions that there might be something wrong with "other" module that is doing the password checking.
My real question is how I can find out which module is the culprit.
David
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Janet(UK) is a trading name of Jisc Collections and Janet Limited, a not-for-profit company which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238
participants (4)
-
Alan DeKok -
David Li -
Josip Almasi -
Stefan Paetow