ssh cleartext-password "? INCORRECT"
First of all let me say that I am using: FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu. I am trying to configure pam-radius-auth and freeRADIUS to allow users to ssh into a box and radius will appropriately match their permissions and etc. I've come across a problem that I am unable to solve, (I have a little over two months of experience with linux and even less with RADIUS and PAM) I have managed to get freeRADIUS running and I can do; 'radtest steve testing localhost 10 testing123' And i receive; Access-Accept packet from host 127.0.0.1 port 1812, id=114, length=71 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Now my problem occurs when I attempt to switch over to using ssh. I have configures the files; (The beginning of) /etc/pam.d/sshd auth required pam_env.so # [1] auth required pam_env.so envfile=/etc/default/locale auth sufficient /lib/security/pam_radius_auth.so debug @include common-auth ... And the matching shared secret for the server and pam_radius_auth.conf I've notices something in the logs which i have marked with '****'. Anyhelp is greatly appreciated. Here is the relavent part of the log from radiusd -X Using 'radtest steve testing localhost 10 testing123' rad_recv: Access-Request packet from host 127.0.0.1 port 58878, id=34, length=57 User-Name = "steve" User-Password = "testing" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "steve", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry steve at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "testing" [pap] Using clear text password "testing" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 34 to 127.0.0.1 port 58878 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 172.16.3.33 Framed-IP-Netmask = 255.255.255.0 Framed-Routing = Broadcast-Listen Framed-Filter-Id = "std.ppp" Framed-MTU = 1500 Framed-Compression = Van-Jacobson-TCP-IP Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 34 with timestamp +16 Ready to process requests. Using 'ssh steve@localhost' password: testing rad_recv: Access-Request packet from host 127.0.0.1 port 26561, id=106, length=83 User-Name = "steve" User-Password = "\010\n\r\177INCORRECT" **** NAS-IP-Address = 127.0.0.1 NAS-Identifier = "sshd" NAS-Port = 25536 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "wisdur" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "steve", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry steve at line 76 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "? INCORRECT" **** [pap] Using clear text password "testing" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> steve attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 106 to 127.0.0.1 port 26561 Waking up in 4.9 seconds. Cleaning up request 1 ID 106 with timestamp +36 Ready to process requests.
And the matching shared secret for the server and pam_radius_auth.conf .. Using 'ssh steve@localhost' password: testing
rad_recv: Access-Request packet from host 127.0.0.1 port 26561, id=106, length=83 User-Name = "steve" User-Password = "\010\n\r\177INCORRECT" ****
..
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Obviously, shared secrets don't match. Ivan Kalik Kalik Informatika ISP
David Ly wrote:
Here is the relavent part of the log from radiusd -X Using 'radtest steve testing localhost 10 testing123'
You've done some *very* weird editing or reformatting of the log. That makes it more difficult to understand.
Using 'ssh steve@localhost' password: testing
rad_recv: Access-Request packet from host 127.0.0.1 port 26561, id=106, length=83 User-Name = "steve" User-Password = "\010\n\r\177INCORRECT" ****
Ah, yes. That's a PAM feature, I think. Or maybe SSH. It replaces the password the user entered with that string. Why? Damned if I know. I'd suggest asking the PAM people how to configure the system so that it doesn't mangle the password. In any case, this is what the RADIUS server receives, so there is *nothing* you can do to the RADIUS server to solve the problem. And the PAM RADIUS module doesn't do this stupid rewriting. So there's nothing you can do to that module, either. Alan DeKok.
participants (3)
-
Alan DeKok -
David Ly -
tnt@kalik.net