SSH-Login libpam-radius-auth
Hi, I have a problem with passwor-matching. Everything seams to be all right, but radius still won't accept shared_secret. I use radius with mysql-database for ssh authenticate. If I try to authenticate with radtest on server (10.10.10.11) - it works fine. If I try to authenticate vom client with IP 10.10.10.200 it works as well. If I try to authenticate from ssh I receive this message: rad_recv: Access-Request packet from host 127.0.0.1 port 3666, id=208, length=88 User-Name = "lisa" User-Password = "\010\n\r\177INCORRECT" NAS-IP-Address = 10.10.10.11 NAS-Identifier = "sshd" NAS-Port = 2641 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "10.10.10.200" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "lisa", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop expand: %{User-Name} -> lisa rlm_sql (sql): sql_set_user escaped user --> 'lisa' rlm_sql (sql): Reserving sql socket id: 4 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'lisa' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'lisa' ORDER BY id expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'lisa' ORDER BY priority expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): User found in group dynamic expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'dynamic' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated rad_check_password: Found Auth-Type auth: type "PAP" +- entering group PAP rlm_pap: login attempt with password "? INCORRECT" rlm_pap: Using clear text password "lisa123" rlm_pap: Passwords don't match ++[pap] returns reject auth: Failed to validate the user. Login incorrect (rlm_pap: CLEAR TEXT password check failed): [lisa/\010\n\r\177INCORRECT] (from client localhost port 2641 cli 10.10.10.200) WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> lisa attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 1.0 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 208 to 127.0.0.1 port 3666 Waking up in 4.9 seconds. clients.conf: ============= client 127.0.0.1 { secret = Test shortname = localhost nastype = other # localhost isn't usually a NAS... } client 10.10.10.0/24 { secret = Test shortname = local-net } pam_radius_auth.conf: ===================== 127.0.0.1 Test 3 10.10.10.11 Test 3 pam.d/common-auth: ================== # Radius auth # For these next three lines to grant auth, you must have a local user name # This must be the same as your RADIUS name # Remove the "debug" argument on the next line after everything works auth sufficient pam_radius_auth.so debug account required pam_radius_auth.so session required pam_radius_auth.so # Generic unix auth services below auth required pam_unix.so nullok_secure users: ====== "susi" Cleartext-Password := "123" If I add the user susi out of users with adduser susi and the user lisa from database adduser lisa, then NTRadPING receives Reject. If password is set in passwd - authentication works. But the password shouldn't read out of passwd... Any suggestions, where my fault or what to do? Cheers MM
Marius.Meisner wrote:
If I try to authenticate from ssh I receive this message:
rad_recv: Access-Request packet from host 127.0.0.1 port 3666, id=208, length=88 User-Name = "lisa" User-Password = "\010\n\r\177INCORRECT"
The password is being changed by the PAM libraries on the machine. Go fix that. This is a PAM issue, and is not a RADIUS issue. Alan DeKok.
Hi Alan, thx for your response - I've fixed it now. There where two things to do, one pam issue and one radius issue. For the libpam-radius-auth its necessary to add a user on the local system, so that there is an entry for each user to authenticate by radius over pam. The second thing was, that then the passwords were used from the passwd instead of the entries in database or user-file. A change in the sites-enabled/default was needed to fix that. The order in the authorize {...} - part must be changed from ... unix file sql ... to ... file sql unix ... because the first match wins and gets the password out of its entries, without looking for the other ones. So everything works fine until the next project ;-) Greets MM Am 28.01.2011 09:38, schrieb Alan DeKok:
Marius.Meisner wrote:
If I try to authenticate from ssh I receive this message:
rad_recv: Access-Request packet from host 127.0.0.1 port 3666, id=208, length=88 User-Name = "lisa" User-Password = "\010\n\r\177INCORRECT"
The password is being changed by the PAM libraries on the machine. Go fix that.
This is a PAM issue, and is not a RADIUS issue.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Marius.Meisner