Regarding pam_radius_auth to be integrated with busybox
Hi, I am trying to integrate linux-pam library and pam_radius_auth module to my busybox 1.17.3 version. I want to login through radius server on the host machine. I am using power pc as my board. I have configured the files of configuration as below. *client.conf* * (conf file)* client 192.168.100.26 { secret = testing123 } *user (conf file)* test Auth-Type := PAP, Cleartext-Password := "testpass" Reply-Message = "Hello, %{User-Name}, you have successfully authenticated your login" I am getting request on the server side but some error is coming on the server of password mismatch. Please find the below log for the same. rad_recv: Access-Request packet from host 192.168.100.26 port 2970, id=106, length=69 User-Name = "test" User-Password = "C\2758\330E\345RZ\3707\227\001\265[\202H" NAS-Identifier = "login" NAS-Port = 1945 NAS-Port-Type = Virtual Service-Type = Authenticate-Only # Executing section authorize from file /usr/local/etc/raddb//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 54 [files] expand: Hello, %{User-Name}, you have successfully authenticated your login -> Hello, test, you have successfully authenticated your login ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /usr/local/etc/raddb//sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "C�8�E�RZ�7??�[?H" [pap] Using clear text password "testpass" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb//sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 106 to 192.168.100.26 port 2970 Reply-Message = "Hello, test, you have successfully authenticated your login" Waking up in 4.9 seconds. Cleaning up request 1 ID 106 with timestamp +37 Ready to process requests. Can you please suggest what might be the issue is? I am getting password as not readable string when I have used the correct password in radius client and radius server. Regards, Deep
Hi, After upgrade perl to version 5.16 checkrad was returning the following error: Can't modify constant item in scalar assignment at /usr/local/sbin/checkrad line 477, near ");" Execution of /usr/local/sbin/checkrad aborted due to compilation errors. I don´t know exactly how to solve this problem. Some information about my system: Freeradius: radiusd: FreeRADIUS Version 2.2.0, for host amd64-portbld-freebsd9.0, built on Oct 29 2012 at 10:49:31 Perl: This is perl 5, version 16, subversion 0 (v5.16.0) built for amd64-freebsd Freebsd: FreeBSD 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Any help will be appreciated Regards Edinilson ------------------------------------------ ATINET Tel Voz: (0xx11) 4412-0876 http://www.atinet.com.br
On 29 Oct 2012, at 17:14, Edinilson - ATINET <edinilson@atinet.com.br> wrote:
Hi,
After upgrade perl to version 5.16 checkrad was returning the following error:
Can't modify constant item in scalar assignment at /usr/local/sbin/checkrad line 477, near ");" Execution of /usr/local/sbin/checkrad aborted due to compilation errors.
I don´t know exactly how to solve this problem.
Stick a $ at the front of the line at 477 :) https://github.com/FreeRADIUS/freeradius-server/commit/87ae675f866fff4d54419... -Arran
Hi Alan, To give some more debug, the below print is what I am getting on client side. Can you please look in to it? "pam_radius_auth: packet from RADIUS server 192.168.100.19 fails verification: The shared secret is probably incorrect." Regards, Deep On Mon, Oct 29, 2012 at 6:54 PM, Deep Shah <deep.shah@strixsystems.com>wrote:
Hi,
I am trying to integrate linux-pam library and pam_radius_auth module to my busybox 1.17.3 version. I want to login through radius server on the host machine. I am using power pc as my board. I have configured the files of configuration as below.
*client.conf* * (conf file)* client 192.168.100.26 { secret = testing123 }
*user (conf file)*
test Auth-Type := PAP, Cleartext-Password := "testpass" Reply-Message = "Hello, %{User-Name}, you have successfully authenticated your login"
I am getting request on the server side but some error is coming on the server of password mismatch. Please find the below log for the same.
rad_recv: Access-Request packet from host 192.168.100.26 port 2970, id=106, length=69 User-Name = "test" User-Password = "C\2758\330E\345RZ\3707\227\001\265[\202H" NAS-Identifier = "login" NAS-Port = 1945 NAS-Port-Type = Virtual Service-Type = Authenticate-Only # Executing section authorize from file /usr/local/etc/raddb//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 54 [files] expand: Hello, %{User-Name}, you have successfully authenticated your login -> Hello, test, you have successfully authenticated your login ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /usr/local/etc/raddb//sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "C�8�E�RZ�7??�[?H" [pap] Using clear text password "testpass" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb//sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 106 to 192.168.100.26 port 2970 Reply-Message = "Hello, test, you have successfully authenticated your login" Waking up in 4.9 seconds. Cleaning up request 1 ID 106 with timestamp +37 Ready to process requests.
Can you please suggest what might be the issue is? I am getting password as not readable string when I have used the correct password in radius client and radius server.
Regards, Deep
On Tue, Oct 30, 2012 at 01:14:09AM +0530, Deep Shah wrote:
"pam_radius_auth: packet from RADIUS server 192.168.100.19 fails verification: The shared secret is probably incorrect."
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Can you please suggest what might be the issue is? I am getting password
Please read the debug output. It's telling you the answer. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Tue, Oct 30, 2012 at 5:24 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Tue, Oct 30, 2012 at 01:14:09AM +0530, Deep Shah wrote:
"pam_radius_auth: packet from RADIUS server 192.168.100.19 fails verification: The shared secret is probably incorrect."
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Can you please suggest what might be the issue is? I am getting password
Please read the debug output. It's telling you the answer.
Correct. @Deep: There should be pam_radius_auth.conf somewhere where you can specify the shared secret on the NAS (i.e. pam_radius_auth) side. -- Fajar
Hi Fajar and Mathhew, Thank you so much for your reply. I have checked several times that both the keys from pam_radius_auth.conf and my radius server are same. But then also I am getting these prints. Please find below my pam_radius_auth.conf file snap shot. # pam_radius_auth configuration file. Copy to: /etc/raddb/server # # The timeout field controls how many seconds the module waits before # deciding that the server has failed to respond. # # server[:port] shared_secret timeout (s) #127.0.0.1 secret 1 #other-server other-secret 3 127.0.0.1 secret 1 192.168.100.27 testing123 2 other-server other-secret 3 # # having localhost in your radius configuration is a Good Thing. # # See the INSTALL file for pam.conf hints. Please find below my client.conf file snap shot which is taken from server side. My client IP is 192.168.100.18 and my server IP is 192.168.100.27. client 192.168.100.18 { secret = testing123 } Can you please let me know which configuration is wrong if there is any? Thank you very much for your help in advance. Regards, Deep On Tue, Oct 30, 2012 at 7:28 AM, Fajar A. Nugraha <list@fajar.net> wrote:
On Tue, Oct 30, 2012 at 5:24 AM, Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Tue, Oct 30, 2012 at 01:14:09AM +0530, Deep Shah wrote:
"pam_radius_auth: packet from RADIUS server 192.168.100.19 fails verification: The shared secret is probably incorrect."
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Can you please suggest what might be the issue is? I am getting password
Please read the debug output. It's telling you the answer.
Correct.
@Deep: There should be pam_radius_auth.conf somewhere where you can specify the shared secret on the NAS (i.e. pam_radius_auth) side.
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Oct 30, 2012 at 12:14 PM, Deep Shah <deep.shah@strixsystems.com> wrote:
Please find below my pam_radius_auth.conf file snap shot. # pam_radius_auth configuration file. Copy to: /etc/raddb/server
Is it in the correct place? Since your earlier logs says "/usr/local/etc/raddb", you might also try copying the file there, just in case.
Please find below my client.conf file snap shot which is taken from server side. My client IP is 192.168.100.18 and my server IP is 192.168.100.27.
That's not what you said in your earlier post
Can you please let me know which configuration is wrong if there is any?
Not sure. For this I'd actually suggest you start with known good working config. Either RHEL/Centos or Ubuntu/Debian is usually a good place to start. IIRC last time I tested this with RHEL it works just fine. Assuming you configure it correctly (hint: read the READMEs and docs that comes with the source/package). After you at least got THAT to work, then start working on your busybox-thingy. Just in case it's busybox-specific bug, in which case you should probably ask the devs there. -- Fajar
Hi, Thank you for your reply. Here, radius server is at /usr/local/etc/raddb/ (which is on pc side) and I have configured and put my client which is at /etc/raddb/server. When I am getting " pam_radius_auth: packet from RADIUS server 192.168.100.27 fails verification: The shared secret is probably incorrect." on my radius client. I am getting below error message on my client. " !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /usr/local/etc/raddb//sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "?U��?R�S4?H�0+R�" [pap] Using clear text password "test" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject " Regards, Deep On Tue, Oct 30, 2012 at 10:58 AM, Fajar A. Nugraha <list@fajar.net> wrote:
On Tue, Oct 30, 2012 at 12:14 PM, Deep Shah <deep.shah@strixsystems.com> wrote:
Please find below my pam_radius_auth.conf file snap shot. # pam_radius_auth configuration file. Copy to: /etc/raddb/server
Is it in the correct place?
Since your earlier logs says "/usr/local/etc/raddb", you might also try copying the file there, just in case.
Please find below my client.conf file snap shot which is taken from server side. My client IP is 192.168.100.18 and my server IP is 192.168.100.27.
That's not what you said in your earlier post
Can you please let me know which configuration is wrong if there is any?
Not sure.
For this I'd actually suggest you start with known good working config. Either RHEL/Centos or Ubuntu/Debian is usually a good place to start. IIRC last time I tested this with RHEL it works just fine. Assuming you configure it correctly (hint: read the READMEs and docs that comes with the source/package).
After you at least got THAT to work, then start working on your busybox-thingy. Just in case it's busybox-specific bug, in which case you should probably ask the devs there.
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Oct 30, 2012 at 12:42 PM, Deep Shah <deep.shah@strixsystems.com> wrote:
Hi,
Thank you for your reply.
Here, radius server is at /usr/local/etc/raddb/ (which is on pc side) and I have configured and put my client which is at /etc/raddb/server.
When I am getting " pam_radius_auth: packet from RADIUS server 192.168.100.27 fails verification: The shared secret is probably incorrect." on my radius client.
If you're not going to listen to suggestion then I wont bother answering your mail anymore. I just tested it on Ubuntu 12.04. The package is libpam-radius-auth, and (despite the comment in the config file), pam_radius_auth.conf must be in /etc. It works. Again, my advice is start with known good config, and work from there. If you decide to ignore that advice, it's your choice, but please stop wasting everyone's time. -- Fajar
Sorry for inconvenience. I have enabled flag of mips in md5.c file of pam_radius_auth and my issue is resolved now. Regards, Deep On Tue, Oct 30, 2012 at 11:20 AM, Fajar A. Nugraha <list@fajar.net> wrote:
On Tue, Oct 30, 2012 at 12:42 PM, Deep Shah <deep.shah@strixsystems.com> wrote:
Hi,
Thank you for your reply.
Here, radius server is at /usr/local/etc/raddb/ (which is on pc side) and I have configured and put my client which is at /etc/raddb/server.
When I am getting " pam_radius_auth: packet from RADIUS server 192.168.100.27 fails verification: The shared secret is probably incorrect." on my radius client.
If you're not going to listen to suggestion then I wont bother answering your mail anymore.
I just tested it on Ubuntu 12.04. The package is libpam-radius-auth, and (despite the comment in the config file), pam_radius_auth.conf must be in /etc. It works.
Again, my advice is start with known good config, and work from there. If you decide to ignore that advice, it's your choice, but please stop wasting everyone's time.
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 30 Oct 2012, at 14:13, Deep Shah <deep.shah@strixsystems.com> wrote:
Sorry for inconvenience.
I have enabled flag of mips in md5.c file of pam_radius_auth and my issue is resolved now.
Ahhh. https://github.com/FreeRADIUS/pam_radius/commit/c61a218efb2a0ec4f493bcc9fa73... -Arran
Hi Arran, On one another board, still I am getting the same error. Still should I need to change any other thing? Regards, Deep On Tue, Oct 30, 2012 at 8:31 PM, Arran Cudbard-Bell < a.cudbardb@freeradius.org> wrote:
On 30 Oct 2012, at 14:13, Deep Shah <deep.shah@strixsystems.com> wrote:
Sorry for inconvenience.
I have enabled flag of mips in md5.c file of pam_radius_auth and my issue is resolved now.
Ahhh.
https://github.com/FreeRADIUS/pam_radius/commit/c61a218efb2a0ec4f493bcc9fa73...
-Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 9 Nov 2012, at 14:07, Deep Shah <deep.shah@strixsystems.com> wrote:
Hi Arran,
On one another board, still I am getting the same error. Still should I need to change any other thing?
Apparently MIPS and SPARC CPU's have configurable endianess, so the __sparc and __mips checks are probably wrong. I know autoconf has a macro for this, probably should add an autoconf script and use that instead of the compiler definitions. could you remove: #elif defined(__sparc) || defined(__mips) #define HIGHFIRST in md5.c and check that this fixes the issue. -Arran
Hi, Thank you for your reply. Here, radius server is at /usr/local/etc/raddb/ (which is on pc side) and I have configured and put my client which is at /etc/raddb/server. When I am getting " pam_radius_auth: packet from RADIUS server 192.168.100.27 fails verification: The shared secret is probably incorrect." on my radius client. I am getting below error message on my server(written client here by mistake in previous email). " !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /usr/local/etc/raddb//sites-enabled/default +- entering group PAP {...} [pap] login attempt with password "?U��?R�S4?H�0+R�" [pap] Using clear text password "test" [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject " Regards, Deep Regards, Deep On Tue, Oct 30, 2012 at 10:58 AM, Fajar A. Nugraha <list@fajar.net> wrote:
On Tue, Oct 30, 2012 at 12:14 PM, Deep Shah <deep.shah@strixsystems.com> wrote:
Please find below my pam_radius_auth.conf file snap shot. # pam_radius_auth configuration file. Copy to: /etc/raddb/server
Is it in the correct place?
Since your earlier logs says "/usr/local/etc/raddb", you might also try copying the file there, just in case.
Please find below my client.conf file snap shot which is taken from server side. My client IP is 192.168.100.18 and my server IP is 192.168.100.27.
That's not what you said in your earlier post
Can you please let me know which configuration is wrong if there is any?
Not sure.
For this I'd actually suggest you start with known good working config. Either RHEL/Centos or Ubuntu/Debian is usually a good place to start. IIRC last time I tested this with RHEL it works just fine. Assuming you configure it correctly (hint: read the READMEs and docs that comes with the source/package).
After you at least got THAT to work, then start working on your busybox-thingy. Just in case it's busybox-specific bug, in which case you should probably ask the devs there.
-- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (5)
-
Arran Cudbard-Bell -
Deep Shah -
Edinilson - ATINET -
Fajar A. Nugraha -
Matthew Newton