WEB Login fails occasionally even though radius authentication succeed
Hello all, I am using PAM radius module version 1.4.1 Testing sample: PAM radius does not support authorization. I DO NOT require accounting and authorization and have kept the return types as optional. Configure radius server and trying to login using radius users. Syslog is enabled Scenario 1: The following is the configuration inside /etc/pam.d/ # cat ssh auth sufficient /lib/security/pam_radius_auth.so debug account optional /lib/security/pam_radius_auth.so debug session optional /lib/security/pam_radius_auth.so debug auth required /lib/security/pam_unix.so use_first_pass account optional /lib/security/pam_unix.so use_first_pass session optional /lib/security/pam_unix.so use_first_pass # cat php auth required /lib/security/pam_succeed_if.so user != root quiet auth sufficient /lib/security/pam_radius_auth.so debug account optional /lib/security/pam_radius_auth.so debug session optional /lib/security/pam_radius_auth.so debug auth required /lib/security/pam_unix.so use_first_pass account optional /lib/security/pam_unix.so use_first_pass session optional /lib/security/pam_unix.so use_first_pass SSH - Always successful WEB - Sometimes, the login fails (NOT always) The following are noticed during the failure scenarios 1. Radius authentication always succeeds and final SYSLOG from radius module received is *USER.DEBUG. php: pam_radius_auth: authentication succeeded* 2. After this, the following SYSLOG is seen and login failed *AUTHPRIV.WARNING. php: pam_unix(php:auth): check pass; user unknownAUTHPRIV.NOTICE. php: pam_unix(php:auth): authentication failure, logname= uid=0 euid=0 tty= ruser= rhost=<IP address>* Scenario 2: I did the following changes with respect to the configuration to skip pam_unix and depend on pam_radius only. # cat ssh auth sufficient /lib/security/pam_radius_auth.so debug account optional /lib/security/pam_radius_auth.so debug session optional /lib/security/pam_radius_auth.so debug # cat php auth required /lib/security/pam_succeed_if.so user != root quiet auth sufficient /lib/security/pam_radius_auth.so debug account optional /lib/security/pam_radius_auth.so debug session optional /lib/security/pam_radius_auth.so debug SSH - Always successful WEB - Sometimes, the login fails (NOT always) The following are noticed during the failure scenarios 1. Radius authentication always succeeds and final SYSLOG from radius module received is *USER.DEBUG. php: pam_radius_auth: authentication succeeded* 2. After this, there are no SYSLOG messages In both cases, login fails sometimes and only through a WEB interface. Could you please provide any suggestions on the above? Why is the user unknown in scenario 1 Thanks, Rajesh
On Apr 13, 2020, at 7:42 AM, Rajesh Subramanian <rajeshs@niagaranetworks.com> wrote: Testing sample: PAM radius does not support authorization. I DO NOT require accounting and authorization and have kept the return types as optional.
OK... Note that PAM just does password checks. It does NOT set UID, GID, home directory, etc. for the user. You still need some way to define those fields. This is usually done via NSS. Or, define the user in /etc/passwd. And only use PAM for password checks.
SSH - Always successful WEB - Sometimes, the login fails (NOT always)
That's bad.
The following are noticed during the failure scenarios
1. Radius authentication always succeeds and final SYSLOG from radius module received is
*USER.DEBUG. php: pam_radius_auth: authentication succeeded*
OK, that's good.
2. After this, the following SYSLOG is seen and login failed
*AUTHPRIV.WARNING. php: pam_unix(php:auth): check pass; user unknownAUTHPRIV.NOTICE. php: pam_unix(php:auth): authentication failure, logname= uid=0 euid=0 tty= ruser= rhost=<IP address>*
The pam_unix module saying that the user isn't in /etc/passwd. Which is likely true.
Scenario 2: I did the following changes with respect to the configuration to skip pam_unix and depend on pam_radius only. ... SSH - Always successful WEB - Sometimes, the login fails (NOT always)
PAM is magic that makes FreeRADIUS look trivial by comparison.
The following are noticed during the failure scenarios
1. Radius authentication always succeeds and final SYSLOG from radius module received is
*USER.DEBUG. php: pam_radius_auth: authentication succeeded* 2. After this, there are no SYSLOG messages
Then it's difficult to see what's going wrong.
In both cases, login fails sometimes and only through a WEB interface.
Could you please provide any suggestions on the above? Why is the user unknown in scenario 1
Because the user isn't in /etc/passwd. FreeRADIUS can use PAM for name / password checking. But it uses PAM *only* for that, and doesn't require users to be in /etc/passwd. My guess is that the web system is doing *additional* checks after PAM succeeds. And then failing those checks, without telling you what they are, or what it's doing. There's a reason that FreeRADIUS has enormous debug logs. Much of the time those logs contain exactly the information needed to fix a problem like this. In contrast, many other programs have helpful messages like "FAILED". Which makes me think that the developers have a deep hatred of their end users. Alan DeKok.
participants (2)
-
Alan DeKok -
Rajesh Subramanian