SSH auth with FreeRADIUS
I would like to use FreeRADIUS to handle all SSH logins to my servers. Of course a „emergency“ login with a user registered on the server should be possible too (in case of RADIUS server is offline etc.). My /etc/pam.d/sshd looks like: # PAM configuration for the Secure Shell service auth sufficient pam_radius_auth.so # Standard Un*x authentication. #@include common-auth # Disallow non-root logins when /etc/nologin exists. #account required pam_nologin.so Now when I try to login as for example user test, the following code is shown at RADIUS debug: Ready to process requests (10) Received Access-Request Id 151 from XY to XY:1812 length 90 (10) User-Name = "test" (10) User-Password = "\010\n\r\177INCORRECT" (10) NAS-IP-Address = XY (10) NAS-Identifier = "sshd" (10) NAS-Port = 22688 (10) NAS-Port-Type = Virtual (10) Service-Type = Authenticate-Only (10) Calling-Station-Id = „XY" (10) # Executing section authorize from file /etc/freeradius/sites-enabled/default (10) authorize { rlm_rest (rest): Closing connection (18): Hit idle_timeout, was idle for 151 seconds rlm_rest (rest): You probably need to lower "min" rlm_rest (rest): Closing connection (19): Hit idle_timeout, was idle for 151 seconds rlm_rest (rest): You probably need to lower "min" rlm_rest (rest): 0 of 0 connections in use. You may need to increase "spare" rlm_rest (rest): Opening additional connection (20), 1 of 32 pending slots used rlm_rest (rest): Connecting to "http://XY" rlm_rest (rest): Reserved connection (20) (10) rest: Expanding URI components (10) rest: EXPAND http://XY (10) rest: --> http://XY (10) rest: EXPAND /demo/%{User-Name}/%{User-Password} (10) rest: --> /demo/test/%08%0A%0D%7FINCORRECT (10) rest: Sending HTTP GET to "http://XY/demo/test/%08%0A%0D%7FINCORRECT" (10) rest: Processing response header (10) rest: Status : 200 (OK) (10) rest: Type : json (application/json) (10) rest: Parsing attribute "control:Auth-Type" (10) rest: EXPAND Reject (10) rest: --> Reject (10) rest: Auth-Type := Reject rlm_rest (rest): Released connection (20) rlm_rest (rest): Need 2 more connections to reach 5 spares rlm_rest (rest): Opening additional connection (21), 1 of 31 pending slots used rlm_rest (rest): Connecting to "http://XY" (10) [rest] = updated (10) } # authorize = updated (10) Found Auth-Type = Reject (10) Auth-Type = Reject, rejecting user (10) Failed to authenticate the user (10) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! It seems like there is some kind of PAM module running before the RADIUS pam module. Any idea how to get this fixed? Looking into my sshd file of RADIUS I can’t see a pam module running before. -All the best;
On Sep 4, 2016, at 3:42 PM, Janis Heller <janis.heller@outlook.de> wrote:
I would like to use FreeRADIUS to handle all SSH logins to my servers. Of course a „emergency“ login with a user registered on the server should be possible too (in case of RADIUS server is offline etc.).
...
Now when I try to login as for example user test, the following code is shown at RADIUS debug:
Ready to process requests (10) Received Access-Request Id 151 from XY to XY:1812 length 90 (10) User-Name = "test" (10) User-Password = "\010\n\r\177INCORRECT"
You will note that isn't your password.
It seems like there is some kind of PAM module running before the RADIUS pam module. Any idea how to get this fixed? Looking into my sshd file of RADIUS I can’t see a pam module running before.
The user isn't available on the local system. PAM does passwords. It doesn't do UID, GID, shell, etc. When it notices that someone without a UID is logging in, it butchers the password with a very helpful (i.e. stupid) message. You will need to configure a local user. Then, authenticate that user via RADIUS. Alan DeKok.
participants (2)
-
Alan DeKok -
Janis Heller