local ssh authentication via radius possible?

Alan DeKok aland at deployingradius.com
Mon Nov 26 20:33:13 CET 2007 

Dan Gahlinger wrote:
> The SSH documentation doesnt say anything about using radius or
> configuring the Radius users file.
> why would it? that makes no sense.

  Because you haven't said which RADIUS client you're using.  Maybe SSH
has a RADIUS plugin...

> The pam_radius_auth documentation, while useful, makes no mention of the
> radius users file.

  Of course not.  It's a client.  The "users" file is only for the server.

> I have not been "careful" to hide or keep anything. I just didn't think
> the log output was useful
> but, since I'm new to this, here you go (from the most recent attempt):

  The FAQ, README, INSTALL, and many messages on this list make it clear
that running in debugging mode, and posting the output to this list, is
the only way to solve many problems.

> Mon Nov 26 11:15:30 2007 : Info: rlm_exec: Wait=yes but no output
> defined. Did you mean output=none?
> Mon Nov 26 11:15:30 2007 : Error: /etc/raddb/users[143]: Parse error
> (reply) for entry testing: Expected end of line or comma

  You edited the "users" file, and broke it.

> and here it is from the previous attempt at using "ssh" as a login-service:

  Which isn't documented as a permitted Login-Service for the server.
And it isn't documented as being necessary for the pam_radius_auth module.

> I will check the dictionary and see how "tcp clear" should be entered.
> However, your email suggests that this is not the correct avenue to
> pursue, and as such, I'm lost, again.

  Perhaps you could explain why you're so fixated on setting
Login-Service?  The pam_radius_auth documentation doesn't say that it's
needed.

> everything else is straight out of the box, I even used the sample
> secrets to keep it simple.
> I want as few variables as possible while testing this.

  Try starting the server without changing ANYTHING.  When you log in
over SSH, does the PAM module send a RADIUS request?  Does the server
receive it?

  You seem to have wandered down a configuration path that isn't
required, and you're doing things that aren't documented.  Stop trying
to do complicated things, and go back to the default configurations and
simple tests.

  Alan DeKok.

More information about the Freeradius-Users mailing list