How to handle challenge response using PAM auth in FreeRadius
Hello, I am developing a PAM module for radius server. The radius server is configured to use PAM auth. It reads /etc/pam.d/radiusd and loads it on receiving auth request. The PAM module talks to external Authentication server and sometimes gets back "Challenge Respose". How can this be returned back to radius server from pam_sm_authenticate from my PAM module ? Please note that this is different than what pam_radius_auth.c does. pam_radius_auth.c talks to radius directly via network where as my module directly gets loaded by Radius. Why should not there be a way to return "Challenge Respose" from linux PAM back to it's loader ? Can this possible linux limitation be overcome by radius calling another exported function for PAM module covering all scenarios including "Challenge Response" ? Where should I look into in the freeradius codebase, if I were to add that functionality ? with best regards, The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD
On 03/15/2010 12:16 PM, Rajendra Hegde wrote:
Hello, I am developing a PAM module for radius server. The radius server is configured to use PAM auth. It reads /etc/pam.d/radiusd and loads it on receiving auth request. The PAM module talks to external Authentication server and sometimes gets back "Challenge Respose". How can this be returned back to radius server from pam_sm_authenticate from my PAM module ? Please note that this is different than what pam_radius_auth.c does. pam_radius_auth.c talks to radius directly via network where as my module directly gets loaded by Radius. Why should not there be a way to return "Challenge Respose" from linux PAM back to it's loader ? Can this possible linux limitation be overcome by radius calling another exported function for PAM module covering all scenarios including "Challenge Response" ? Where should I look into in the freeradius codebase, if I were to add that functionality ? with best regards,
Your question is a bit muddled. I'm not sure if you asking how to forward the challenge through RADIUS back to the client or if you're just asking how to handle a pam "conversation" within your authentication module. If it's the former, then the answer is you can't do that in general. On the other hand if all you want to know is how to handle a pam conversation the take a look at rlm_pam.c and see the function PAM_conv and read the man page for pam_conv. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Hello, The scenario is like this : {remote client } -----> {radius} ---> {PAM} ----> {Extern Athenticator} Now when the external authenticator sends challenge to PAM, I do not see a easy way to pass the "challenge text" back to the radius. Please note that pam_sm_authenticate allows either SUCCESS or FAILURE return but not "Challnege text" return. Thanks, ________________________________ From: John Dennis [mailto:jdennis@redhat.com] Sent: Mon 3/15/2010 12:56 PM To: FreeRadius users mailing list Cc: Rajendra Hegde Subject: Re: How to handle challenge response using PAM auth in FreeRadius On 03/15/2010 12:16 PM, Rajendra Hegde wrote:
Hello, I am developing a PAM module for radius server. The radius server is configured to use PAM auth. It reads /etc/pam.d/radiusd and loads it on receiving auth request. The PAM module talks to external Authentication server and sometimes gets back "Challenge Respose". How can this be returned back to radius server from pam_sm_authenticate from my PAM module ? Please note that this is different than what pam_radius_auth.c does. pam_radius_auth.c talks to radius directly via network where as my module directly gets loaded by Radius. Why should not there be a way to return "Challenge Respose" from linux PAM back to it's loader ? Can this possible linux limitation be overcome by radius calling another exported function for PAM module covering all scenarios including "Challenge Response" ? Where should I look into in the freeradius codebase, if I were to add that functionality ? with best regards,
Your question is a bit muddled. I'm not sure if you asking how to forward the challenge through RADIUS back to the client or if you're just asking how to handle a pam "conversation" within your authentication module. If it's the former, then the answer is you can't do that in general. On the other hand if all you want to know is how to handle a pam conversation the take a look at rlm_pam.c and see the function PAM_conv and read the man page for pam_conv. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD
On 03/15/2010 01:12 PM, Rajendra Hegde wrote:
Hello, The scenario is like this : {remote client } -----> {radius} ---> {PAM} ----> {Extern Athenticator} Now when the external authenticator sends challenge to PAM, I do not see a easy way to pass the "challenge text" back to the radius. Please note that pam_sm_authenticate allows either SUCCESS or FAILURE return but not "Challnege text" return.
I gave you the answer, it's done with pam_conv, you should read the code in rlm_pam.c. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
pam_conv is good for holding interactive conversation locally for applications such as login, su etc. When used with radius server pam_conv failed to do prompt at remote_client. Please note that we are not interested in local convesation where PAM is located. The remote client I have used is one of the test applications from the radius suite. Let me aks you further. note: A and B are machines. {client @ A} ---> {radius at B} --> {PAM @ B} Now when I tested as said above, a call to pam_conv in PAM module at machine B did nothing. Are you sure it does prompt with a message at client @ A ? I look forward to your reply. Thanks, ________________________________ From: John Dennis [mailto:jdennis@redhat.com] Sent: Mon 3/15/2010 1:51 PM To: Rajendra Hegde Cc: FreeRadius users mailing list Subject: Re: How to handle challenge response using PAM auth in FreeRadius On 03/15/2010 01:12 PM, Rajendra Hegde wrote:
Hello, The scenario is like this : {remote client } -----> {radius} ---> {PAM} ----> {Extern Athenticator} Now when the external authenticator sends challenge to PAM, I do not see a easy way to pass the "challenge text" back to the radius. Please note that pam_sm_authenticate allows either SUCCESS or FAILURE return but not "Challnege text" return.
I gave you the answer, it's done with pam_conv, you should read the code in rlm_pam.c. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD
Perhaps you could explain why you're writing your own PAM module, rather than using the one that comes with FreeRADIUS. Then, explain why PAM conversation questions are for the FreeRADIUS list, and not the PAM list. Alan DeKok.
On 03/15/2010 02:32 PM, Rajendra Hegde wrote:
pam_conv is good for holding interactive conversation locally for applications such as login, su etc. When used with radius server pam_conv failed to do prompt at remote_client. Please note that we are not interested in local convesation where PAM is located. The remote client I have used is one of the test applications from the radius suite. Let me aks you further. note: A and B are machines. {client @ A} ---> {radius at B} --> {PAM @ B} Now when I tested as said above, a call to pam_conv in PAM module at machine B did nothing. Are you sure it does prompt with a message at client @ A ? I look forward to your reply. Thanks,
O.K. That's part of the information I was trying to get you to reveal. You're talking about the client on the other side of the radius protocol and you're not talking about the pam conversation at the radius server. If you want to send a challenge to the client you can emit a ACCESS-CHALLENGE packet along with a reply-message. See src/modules/rlm_example/rlm_example.c for an example of how to do this. You'll still need to use pam_conv and I think you'll need some way to retain state. Also not all clients support access-challenge and if they don't they're allowed to assume they received auth-reject when they receive access-challenge. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Hello, I am a client program running on machine A. It want to talk to free radius on machine B. { cleint on Machine A } -------> { free radius on machine B} Now the client wants to dynamically update the shared secret and other client information by just talking to the free radius over simple network connection. After that free radius should use the new information right away as well as update the static file(s) in /etc/raddb... Any pointers for achieveing this would be appreciated. Thanks, Rajendra Hegde The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD
I wonder if this is directly not achievable, what if some other program running on machine B update the file and send signal SIGHUP or some oither signal I am not sure to freeradius so that free radisu rereads the config information without getting restarted ? Does it work ? Which signal to send to freeradius so that it rereads configuration again ? Thanks in Advance. ________________________________ From: Rajendra Hegde Sent: Mon 4/12/2010 4:48 PM To: FreeRadius users mailing list Subject: How to handle dynamic update of shared secret and client configuration in free radius Hello, I am a client program running on machine A. It want to talk to free radius on machine B. { cleint on Machine A } -------> { free radius on machine B} Now the client wants to dynamically update the shared secret and other client information by just talking to the free radius over simple network connection. After that free radius should use the new information right away as well as update the static file(s) in /etc/raddb... Any pointers for achieveing this would be appreciated. Thanks, Rajendra Hegde The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e-mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD
Am 13.04.2010 um 15:27 schrieb Rajendra Hegde:
I wonder if this is directly not achievable, what if some other program running on machine B update the file and send signal SIGHUP or some oither signal I am not sure to freeradius so that free radisu rereads the config information without getting restarted ? Does it work ?
Which signal to send to freeradius so that it rereads configuration again ?
If you want to re-read all configuration files, you have stop and to start (again) the freeradius server.
Thanks in Advance.
Have a nice day.
From: Rajendra Hegde Sent: Mon 4/12/2010 4:48 PM To: FreeRadius users mailing list Subject: How to handle dynamic update of shared secret and client configuration in free radius
Hello,
I am a client program running on machine A.
It want to talk to free radius on machine B. { cleint on Machine A } -------> { free radius on machine B}
Now the client wants to dynamically update the shared secret and other client information by just talking to the free radius over simple network connection.
After that free radius should use the new information right away as well as update the static file(s) in /etc/raddb...
Any pointers for achieveing this would be appreciated.
Thanks, Rajendra Hegde
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e- mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
Am 13.04.2010 um 15:50 schrieb Nicolas Goutte:
Am 13.04.2010 um 15:27 schrieb Rajendra Hegde:
I wonder if this is directly not achievable, what if some other program running on machine B update the file and send signal SIGHUP or some oither signal I am not sure to freeradius so that free radisu rereads the config information without getting restarted ? Does it work ?
Which signal to send to freeradius so that it rereads configuration again ?
If you want to re-read all configuration files, you have stop and to start (again) the freeradius server.
If you want, you can look at an old thread about why -HUP does not read them again: http://lists.freeradius.org/pipermail/freeradius-users/2008-April/msg00020.h...
Thanks in Advance.
Have a nice day.
From: Rajendra Hegde Sent: Mon 4/12/2010 4:48 PM To: FreeRadius users mailing list Subject: How to handle dynamic update of shared secret and client configuration in free radius
Hello,
I am a client program running on machine A.
It want to talk to free radius on machine B. { cleint on Machine A } -------> { free radius on machine B}
Now the client wants to dynamically update the shared secret and other client information by just talking to the free radius over simple network connection.
After that free radius should use the new information right away as well as update the static file(s) in /etc/raddb...
Any pointers for achieveing this would be appreciated.
Thanks, Rajendra Hegde
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Statements and opinions expressed in this e- mail may not represent those of the company. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete the material from any computer. Please see our legal details at http://www.cryptocard.com CRYPTOCard Inc. is registered in the province of Ontario, Canada with Business number 80531 6478. CRYPTOCard Europe is limited liability company registered in England and Wales (with registered number 05728808 and VAT number 869 3979 41); its registered office is Aztec Centre, Aztec West, Almondsbury, Bristol, UK, BS32 4TD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nicolas Goutte
extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
participants (4)
-
Alan DeKok -
John Dennis -
Nicolas Goutte -
Rajendra Hegde