local ssh authentication via radius possible?

Dan Gahlinger dgahling at hotmail.com
Mon Nov 26 20:48:21 CET 2007 

the client software I'm using is SecureCRT (windows - from vandyke) its a windows SSH client.

I don't understand most of what you said here. Hence my problem.

I did configure pam_radius with "debug" option.
there is no output created. It's impossible to tell if things are working the way they should
Login-Service is set to "TCP-Clear" now, and the log file produces only this:

Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Mon Nov 26 12:43:45 2007 : Info: Ready to process requests.

and nothing else. No other logs anywhere, not even a failed "ssh" log in messages, warn, etc.

Maybe I should restate, clearly, what I'm trying to do. and see if it's possible, or makes sense.

we need a regular user using SSH client such as SecureCRT, or Putty, etc without modification, to login
via SSH to a linux server, and have the server use Radius for authentication.

These are "local" users with shell access. The radius would be local.
So instead of using the local password file, we want to use Radius.

Eventually the server they're logging into will point their radius to another radius server (also linux) running on the network.

I have no idea what I'm doing, so I'm grasping at straws.
You said to read the documentation, which, there wasn't much of in this regard, but I did anyhow.

Then you said to read pam_radius_auth, which I did, and attempted to implement.

Thankfully, logins using the local password file still works.

Using everything in the defaults without changing the user file doesn't make sense, because that's what we want to use for authentication,
only, in our case, it'd be on a central server instead of local, but I want to get local testing working first, just to make sure I understand it all.

at this point, I don't understand any of it, and yelling at me for doing the wrong things isn't helping.

you've seen my configuration files. I don't know how it should work, because I have no idea how it should look.

I'd appreciate a little bit of help here, some hints, some sample configs, would really really help.

I mean, if it's even possible to do what we're trying to do.

> Date: Mon, 26 Nov 2007 20:33:13 +0100
> From: aland at deployingradius.com
> To: freeradius-users at lists.freeradius.org
> Subject: Re: local ssh authentication via radius possible?
> 
> Dan Gahlinger wrote:
> > The SSH documentation doesnt say anything about using radius or
> > configuring the Radius users file.
> > why would it? that makes no sense.
> 
>   Because you haven't said which RADIUS client you're using.  Maybe SSH
> has a RADIUS plugin...
> 
> > The pam_radius_auth documentation, while useful, makes no mention of the
> > radius users file.
> 
>   Of course not.  It's a client.  The "users" file is only for the server.
> 
> > I have not been "careful" to hide or keep anything. I just didn't think
> > the log output was useful
> > but, since I'm new to this, here you go (from the most recent attempt):
> 
>   The FAQ, README, INSTALL, and many messages on this list make it clear
> that running in debugging mode, and posting the output to this list, is
> the only way to solve many problems.
> 
> > Mon Nov 26 11:15:30 2007 : Info: rlm_exec: Wait=yes but no output
> > defined. Did you mean output=none?
> > Mon Nov 26 11:15:30 2007 : Error: /etc/raddb/users[143]: Parse error
> > (reply) for entry testing: Expected end of line or comma
> 
>   You edited the "users" file, and broke it.
> 
> > and here it is from the previous attempt at using "ssh" as a login-service:
> 
>   Which isn't documented as a permitted Login-Service for the server.
> And it isn't documented as being necessary for the pam_radius_auth module.
> 
> > I will check the dictionary and see how "tcp clear" should be entered.
> > However, your email suggests that this is not the correct avenue to
> > pursue, and as such, I'm lost, again.
> 
>   Perhaps you could explain why you're so fixated on setting
> Login-Service?  The pam_radius_auth documentation doesn't say that it's
> needed.
> 
> > everything else is straight out of the box, I even used the sample
> > secrets to keep it simple.
> > I want as few variables as possible while testing this.
> 
>   Try starting the server without changing ANYTHING.  When you log in
> over SSH, does the PAM module send a RADIUS request?  Does the server
> receive it?
> 
>   You seem to have wandered down a configuration path that isn't
> required, and you're doing things that aren't documented.  Stop trying
> to do complicated things, and go back to the default configurations and
> simple tests.
> 
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

_________________________________________________________________
Have fun while connecting on Messenger! Click here to learn more.
http://entertainment.sympatico.msn.ca/WindowsLiveMessenger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071126/370c608d/attachment.html>

More information about the Freeradius-Users mailing list