pam_radius authentication problem - no password?
Hi, I have problems using pam_radius to authenticate users using our freeradius server. I want to use it with openvpn but tested it with ssh. The new part of my /etc/pam.d/ssh looks like: # /etc/security/pam_env.conf. auth required pam_env.so # [1] auth sufficient /lib/security/pam_radius_auth.so debug try_first_pass To nail the problem down I added some debug info to pam_radius_auth.c: /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); DPRINT(LOG_DEBUG, "Get password retval: %d, %d", retval, PAM_SUCCESS); PAM_FAIL_CHECK; DPRINT(LOG_DEBUG, "X Got password %s", password); if(password) { password = strdup(password); DPRINT(LOG_DEBUG, "Got password %s", password); } My auth.log file then says: Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Got user name enno Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Get password retval: 0, 0 Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: X Got password (null) Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Sending RADIUS request code 1 Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth: RADIUS server <our_radius_server> failed to respond Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth: All RADIUS servers failed to respond. Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth: authentication failed There seem to be problems connecting to the radius server sometimes, but I think this isn't the problem here. When the connection works, I get radius response code 3 (afair). I'm testing this on the target machine (openvpn server) using "ssh -l enno 127.0.0.1" and some random password (first I tried with the correct password and then started debugging). Looking at the code of pam_radius_auth.c and at the output of auth.log I would say the call to pam seems to not return the AUTHTOK. The call succedes, but the password pointer is NULL. Any ideas? Thanks in advance Enno Gröper
Enno wrote:
I'm testing this on the target machine (openvpn server) using "ssh -l enno 127.0.0.1" and some random password (first I tried with the correct password and then started debugging). Looking at the code of pam_radius_auth.c and at the output of auth.log I would say the call to pam seems to not return the AUTHTOK. The call succedes, but the password pointer is NULL.
Any ideas?
Ask the core PAM libraries why they're not returning the password. i.e. this is a PAM problem. The pam_auth_radius module is working correctly. Alan DeKok.
participants (2)
-
Alan DeKok -
Enno