local ssh authentication via radius possible?

Dan Gahlinger dgahling at hotmail.com
Mon Nov 26 18:33:24 CET 2007 

The SSH documentation doesnt say anything about using radius or configuring the Radius users file.
why would it? that makes no sense.

The pam_radius_auth documentation, while useful, makes no mention of the radius users file.

I have not been "careful" to hide or keep anything. I just didn't think the log output was useful
but, since I'm new to this, here you go (from the most recent attempt):

Mon Nov 26 11:15:30 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Mon Nov 26 11:15:30 2007 : Error: /etc/raddb/users[143]: Parse error (reply) for entry testing: Expected end of line or comma
Mon Nov 26 11:15:30 2007 : Error: Errors reading /etc/raddb/users
Mon Nov 26 11:15:30 2007 : Error: radiusd.conf[1067]: files: Module instantiation failed. 
Mon Nov 26 11:15:30 2007 : Error: radiusd.conf[1852] Unknown module "files".
Mon Nov 26 11:15:30 2007 : Error: radiusd.conf[1788] Failed to parse authorize section. 

and here it is from the previous attempt at using "ssh" as a login-service:
Mon Nov 26 11:14:54 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Mon Nov 26 11:14:54 2007 : Error: /etc/raddb/users[143]: Parse error (reply) for entry testing: Unknown value ssh for attribute Logi
n-Service
Mon Nov 26 11:14:54 2007 : Error: Errors reading /etc/raddb/users
Mon Nov 26 11:14:54 2007 : Error: radiusd.conf[1067]: files: Module instantiation failed. 
Mon Nov 26 11:14:54 2007 : Error: radiusd.conf[1852] Unknown module "files".
Mon Nov 26 11:14:54 2007 : Error: radiusd.conf[1788] Failed to parse authorize section. 

BTW that is the REAL name of my server, it just happens to be in a test environment. I wanted to keep things simple.

I will check the dictionary and see how "tcp clear" should be entered.
However, your email suggests that this is not the correct avenue to pursue, and as such, I'm lost, again.

I'm using the base install, and changed only the users file for the radius server config
the pam config seemed fairly straight-forward, just add the auth/account lines.

everything else is straight out of the box, I even used the sample secrets to keep it simple.
I want as few variables as possible while testing this.

here's my pam sshd config anyhow:

#%PAM-1.0
auth     requisite      pam_nologin.so
auth     sufficient     /lib/security/pam_radius_auth.so debug
auth     include        common-auth
account  sufficient     /lib/security/pam_radius_auth.so
account  include        common-account
password sufficient     /lib/security/pam_radius_auth.so
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README)
#session  optional      pam_resmgr.so fake_ttyname

nothing too exciting

> Date: Mon, 26 Nov 2007 18:17:33 +0100
> From: aland at deployingradius.com
> To: freeradius-users at lists.freeradius.org
> Subject: Re: local ssh authentication via radius possible?
> 
> Dan Gahlinger wrote:
> > it doesn't like my config, even with "TCP Clear"-
> > 
> > testing Cleartext-Password := "callme"
> >         Service-Type = Login-User,
> >         Login-Service = TCP Clear,
> >         Login-IP-Host = testing.mydomain.com
> 
>   You have to use the names from the dictionaries.  "TCP clear" is two
> words, and is not a name from the dictionaries.
> 
>   In any case, the PAM RADIUS module doesn't need "TCP Clear".  If
> you're using something else to do RADIUS authentication, see it's
> documentation for what it needs.
> 
> > this is frustrating.
> > and i'm not even sure this is correct for SSH?
> 
>   Perhaps the SSH documentation says something?
> 
>   You've been very careful to not show the output of debugging mode,
> either on the server or on the client (if it has one).  You've also been
> careful to hide which RADIUS client you're using.
> 
>   This makes it difficult to help you.  You're saying "Hi, I'm using
> stuff to login, but it doesn't work.  Help me!"  Those kind of questions
> are content-free, and actively prevent anyone from helping you.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

_________________________________________________________________
Have fun while connecting on Messenger! Click here to learn more.
http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071126/295b1d27/attachment.html>

More information about the Freeradius-Users mailing list