pam_radius - Choose Authentication Type
Hello list, is there a possibility to force authentication type for a specific NAS? Currently - when having pam_radius configured for SSHD logins there is "User-Password" sent in clear. How could MSCHAP being forced? e.g. from radtest mschap is working, and I get an Accept. radtest -t mschap -x aduser adpassword 192.168.0.123:21812 0 testing123 Sending Access-Request Id 83 from 0.0.0.0:58815 to 192.168.0.223:21812 User-Name = 'aduser' NAS-IP-Address = 192.168.0.238 NAS-Port = 0 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0x30fb2004f73cbc0e MS-CHAP-Response = 0x000100000000000000000000000000000000000000000000000023532ec8407591c34 d2c080afae6edb888f822115566aabb Received Access-Accept Id 83 from 192.168.0.223:21812 to 192.168.0.238:58815 length 84 MS-CHAP-MPPE-Keys = 0x MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed Using PAM_RADIUS trying to Login: rad_recv: Access-Request packet from host 192.168.0.238 port 41971, id=41, length=91 User-Name = "aduser" User-Password = "adpassword" NAS-IP-Address = 192.168.0.238 NAS-Identifier = "sshd" NAS-Port = 27766 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "localhost" Mon Jul 11 11:11:50 2016 : Info: +- entering group authorize {...} Mon Jul 11 11:11:50 2016 : Info: [detail] expand: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/radius/radacct/192.168.0.238/detail-20160711 Mon Jul 11 11:11:50 2016 : Info: [detail] /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.238/detail-20160711 Mon Jul 11 11:11:50 2016 : Info: [detail] expand: %t -> Mon Jul 11 11:11:50 2016 Mon Jul 11 11:11:50 2016 : Info: ++[detail] returns ok Mon Jul 11 11:11:50 2016 : Info: [preprocess] hints: Matched DEFAULT at 35 Mon Jul 11 11:11:50 2016 : Info: [preprocess] expand: %{User-Name}@test.local -> aduser@test.local Mon Jul 11 11:11:50 2016 : Info: ++[preprocess] returns ok Mon Jul 11 11:11:50 2016 : Info: [auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/192.168.0.238/auth-detail-20160711 Mon Jul 11 11:11:50 2016 : Info: [auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.238/auth-detail-20160711 Mon Jul 11 11:11:50 2016 : Info: [auth_log] expand: %t -> Mon Jul 11 11:11:50 2016 Mon Jul 11 11:11:50 2016 : Info: ++[auth_log] returns ok Mon Jul 11 11:11:50 2016 : Info: ++[mschap] returns noop Mon Jul 11 11:11:50 2016 : Info: [suffix] Looking up realm "test.local" for User-Name = "aduser@test.local" Mon Jul 11 11:11:50 2016 : Info: [suffix] Found realm "test.local" Mon Jul 11 11:11:50 2016 : Info: [suffix] Adding Stripped-User-Name = "aduser" Mon Jul 11 11:11:50 2016 : Info: [suffix] Adding Realm = "test.local" Mon Jul 11 11:11:50 2016 : Info: [suffix] Authentication realm is LOCAL. Mon Jul 11 11:11:50 2016 : Info: ++[suffix] returns ok Mon Jul 11 11:11:50 2016 : Info: [eap] No EAP-Message, not doing EAP Mon Jul 11 11:11:50 2016 : Info: ++[eap] returns noop Mon Jul 11 11:11:50 2016 : Info: ++[unix] returns notfound Mon Jul 11 11:11:50 2016 : Info: ++[files] returns noop Mon Jul 11 11:11:50 2016 : Info: ++[expiration] returns noop Mon Jul 11 11:11:50 2016 : Info: ++[logintime] returns noop Mon Jul 11 11:11:50 2016 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Mon Jul 11 11:11:50 2016 : Info: ++[pap] returns noop Mon Jul 11 11:11:50 2016 : Info: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Mon Jul 11 11:11:50 2016 : Info: Failed to authenticate the user. Mon Jul 11 11:11:50 2016 : Auth: Login incorrect: [aduser@test.local] (from client bastionng port 27766 cli localhost) Mon Jul 11 11:11:50 2016 : Info: Using Post-Auth-Type Reject Mon Jul 11 11:11:50 2016 : Info: +- entering group REJECT {...} Mon Jul 11 11:11:50 2016 : Info: [attr_filter.access_reject] expand: %{User-Name} -> aduser@test.local Mon Jul 11 11:11:50 2016 : Debug: attr_filter: Matched entry DEFAULT at line 11 Mon Jul 11 11:11:50 2016 : Info: ++[attr_filter.access_reject] returns updated Mon Jul 11 11:11:50 2016 : Info: Delaying reject of request 0 for 1 seconds Mon Jul 11 11:11:50 2016 : Debug: Going to the next request Mon Jul 11 11:11:50 2016 : Debug: Waking up in 0.9 seconds. Mon Jul 11 11:11:51 2016 : Info: Sending delayed reject for request 0 Sending Access-Reject of id 41 to 192.168.0.238 port 41971 Mon Jul 11 11:11:51 2016 : Debug: Waking up in 4.9 seconds. Any help is appreciated. Thomas
is there a possibility to force authentication type for a specific NAS? Currently - when having pam_radius configured for SSHD logins there is "User-Password" sent in clear. How could MSCHAP being forced?
PAM is the RADIUS client. If pam_radius_auth does not have an option to specify the RADIUS authentication type, then no, you can't set that. But as always here, if you have code that allows that to happen, by all means contribute :-) That said, it would be good to be able to tell pam_radius_auth which authentication type to use (and support EAP methods). *makes note to muck about with code again* :-) Stefan Paetow Moonshot Industry & Research Liaison Coordinator t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet jisc.ac.uk Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
On Jul 11, 2016, at 5:16 AM, tirili@web.de wrote:
is there a possibility to force authentication type for a specific NAS? Currently - when having pam_radius configured for SSHD logins there is "User-Password" sent in clear.
That's how the module works.
How could MSCHAP being forced?
Edit the source code to pam_auth_radius. But there is no security gained by moving to MS-CHAP. Alan DeKok.
participants (3)
-
Alan DeKok -
Stefan Paetow -
tirili@web.de