Hello! I try to authenticate ssh users via PAM using FreeRadius. Is it possible to use CHAP for the authentication between radius server and radius client? SSH client -> SSH server <- PAM -> Radius Client <- CHAP-> Radius Server For example, if I specify in radius server to use CHAP auth-type for a particular user, e.g. in users file: sshuser Auth-type := Chap, Cleartext-Password := "xxx" When I use an SSH client to login, the following error is shown in radius server. [chap] rlm_chap: Attribute "CHAP-Password" is required for authentication. So is there a way to actually specify the CHAP-Password in radius client so that it can be authenticated via CHAP? If yes, which file I should modify? Thanks a lot!!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/SSH-to-use-CHAP-tp4685793p4685793.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com.
chesschi <chesschi@gmail.com> wrote:
I try to authenticate ssh users via PAM using FreeRadius. Is it possible to use CHAP for the authentication between radius server and radius client?
SSH client -> SSH server <- PAM -> Radius Client <- CHAP-> Radius Server
As far as I am aware, this cannot be done; unless you can find a PAM RADIUS plugin that supports CHAP. You should use SSH public keys. If you want that centrally managed have a look at putting your users SSH keys into LDAP: http://freshmeat.net/projects/lpkfuse Cheers -- Alexander Clouter .sigmonster says: List at least two alternate dates.
Thanks for your reply Alexander! Actually I have already implemented a radius client that communicate with radius server using CHAP for SSH connection (i.e. I got one set of username and password for SSH login and another set for radius login). The radius server will store all the key user credentials. To be more precise, the thread I posted yesterday is actually for SFTP and I would like to make use of the similar approach and the user credentials stored in radius server. Existing: SSH client -> SSH server -> My Radius Client <- CHAP-> Radius Server Proposed: SFTP client -> SFTP server <- PAM -> Radius Client <- CHAP-> Radius Server Apart from PAP, an alternative option for the authentication between radius server and radius client is PAM. I am not familiar with PAM. Do you how how secure it is? Will it send the clear-text password (or hased?) for the authentication? Thanks. -- View this message in context: http://freeradius.1045715.n5.nabble.com/SSH-to-use-CHAP-tp4685793p4690191.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (2)
-
Alexander Clouter -
chesschi