Removing local auth (freeradius server 2.1.9)
Hello, I've tried the doc, the wiki, and the ML archives but I can't find an answer to what must be a simple configuration thing.. I've compiled freeradius server 2.1.9 and only added two simples lines to $confdir/user: mrichard Cleartext-Password := "qwerty" mrichard2 Cleartext-Password := "qwerty" When starting radiusd -X (yes, I've looked at the output) and testing these 2 most simple accounts with radtest, the first one fails while the second one works. The difference being that there's a "mrichard" account on the box in /etc/passwd while "mrichard2" only exists in radiusd's config. Hence the output differences when calling "radtest thelogin qwerty localhost 666 testing123" (cut) : for mrichard: +- entering group PAP {...} [pap] login attempt with password "qwerty" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject for mrichard2: +- entering group PAP {...} [pap] login attempt with password "qwerty" [pap] Using clear text password "qwerty" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 79 to 127.0.0.1 port 60023 Of course, the first account works if I use the OS level password associated with it. After a bit of searching I found a reference in the ML archives to $confdir/sites-enabled/default and saw "unix" in there with the description saying it caches the hashes from /etc/passwd and its accompanying shadow. I've commented those lines and restarted the daemon. Now I get this in the PAP output for both users: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject I must be missing something rather obvious.. But how can I totally disable the lookup of OS accounts ? Thanks Martin
Someone will correct me if I am wrong, but I believe that is the "unix" entry under sites-available/default. David From: freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu s.org] On Behalf Of Martin Richard Sent: Thursday, June 10, 2010 11:32 AM To: freeradius-users@lists.freeradius.org Subject: Removing local auth (freeradius server 2.1.9) Hello, I've tried the doc, the wiki, and the ML archives but I can't find an answer to what must be a simple configuration thing.. I've compiled freeradius server 2.1.9 and only added two simples lines to $confdir/user: mrichard Cleartext-Password := "qwerty" mrichard2 Cleartext-Password := "qwerty" When starting radiusd -X (yes, I've looked at the output) and testing these 2 most simple accounts with radtest, the first one fails while the second one works. The difference being that there's a "mrichard" account on the box in /etc/passwd while "mrichard2" only exists in radiusd's config. Hence the output differences when calling "radtest thelogin qwerty localhost 666 testing123" (cut) : for mrichard: +- entering group PAP {...} [pap] login attempt with password "qwerty" [pap] Using CRYPT encryption. [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. Using Post-Auth-Type Reject for mrichard2: +- entering group PAP {...} [pap] login attempt with password "qwerty" [pap] Using clear text password "qwerty" [pap] User authenticated successfully ++[pap] returns ok +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 79 to 127.0.0.1 port 60023 Of course, the first account works if I use the OS level password associated with it. After a bit of searching I found a reference in the ML archives to $confdir/sites-enabled/default and saw "unix" in there with the description saying it caches the hashes from /etc/passwd and its accompanying shadow. I've commented those lines and restarted the daemon. Now I get this in the PAP output for both users: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Using Post-Auth-Type Reject I must be missing something rather obvious.. But how can I totally disable the lookup of OS accounts ? Thanks Martin
Martin Richard wrote:
When starting radiusd -X (yes, I've looked at the output) and testing these 2 most simple accounts with radtest, the first one fails while the second one works. The difference being that there's a "mrichard" account on the box in /etc/passwd while "mrichard2" only exists in radiusd's config. Hence the output differences when calling "radtest thelogin qwerty localhost 666 testing123" (cut) :
As the debug log shows, it's using the Unix password for the user, rather than the password from the "users" file.
After a bit of searching I found a reference in the ML archives to $confdir/sites-enabled/default and saw "unix" in there with the description saying it caches the hashes from /etc/passwd and its accompanying shadow.
Not exactly. It looks up the user in /etc/passwd, and if found, adds the password as the "known good" password.
I've commented those lines and restarted the daemon. Now I get this in the PAP output for both users:
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
Does the "files" module say that they were found in the "users" file?
I must be missing something rather obvious.. But how can I totally disable the lookup of OS accounts ?
Delete "unix" from raddb/sites-enabled/default, section "authorize" Alan DeKok.
On Thu, Jun 10, 2010 at 4:55 PM, Alan DeKok <aland@deployingradius.com>wrote:
Delete "unix" from raddb/sites-enabled/default, section "authorize"
Alan DeKok.
To make sure all tests/changes I had made were gone I restarted from the original conf files and did exactly this. It now works as expected, but of course you knew that. :) Thanks to all for the infos! Martin
Hi,
When starting radiusd -X (yes, I've looked at the output) and testing these 2 most simple accounts with radtest, the first one fails while the second one works. The difference being that there's a "mrichard" account on the box in /etc/passwd while "mrichard2" only exists in radiusd's config. Hence the output differences when calling "radtest thelogin qwerty localhost 666 testing123" (cut) :
you've massively edited the output of the debug and missed the most important line that says [unix] returns updated or somesuch - however:
After a bit of searching I found a reference in the ML archives to $confdir/sites-enabled/default and saw "unix" in there with the description saying it caches the hashes from /etc/passwd and its accompanying shadow. I've commented those lines and restarted the daemon. Now I get this in the PAP output for both users:
...you are on the right track. but once again, a few lines of the debug isnt enough. there is plenty in the debug that says whats wrong etc. obviously you are editing the right config files because its broken what was working in a different fashion before. you need to remove unix from the 3 sections in the default file. then passwords wont be read. but you need to ensure that files is called before pap in the authorize section alan
participants (4)
-
Alan Buxey -
Alan DeKok -
David Peterson -
Martin Richard