local ssh authentication via radius possible?

Alan DeKok aland at deployingradius.com
Mon Nov 26 21:51:34 CET 2007


Dan Gahlinger wrote:
> I don't understand most of what you said here. Hence my problem.

  The problem is that you're trying to configure 4-5 separate things at
the same time, without understanding how most of them work.  As a
result, you're frustrated, and not making progress.

> Mon Nov 26 12:43:45 2007 : Info: rlm_exec: Wait=yes but no output
> defined. Did you mean output=none?
> Mon Nov 26 12:43:45 2007 : Info: Ready to process requests.
> 
> and nothing else. No other logs anywhere, not even a failed "ssh" log in
> messages, warn, etc.

  i.e. PAM isn't using RADIUS for authentication.  Fix that.  Read the
PAM documentation.

> we need a regular user using SSH client such as SecureCRT, or Putty, etc
> without modification, to login
> via SSH to a linux server, and have the server use Radius for
> authentication.
> 
> These are "local" users with shell access. The radius would be local.
> So instead of using the local password file, we want to use Radius.

  That will work, but they will need a uid/gid etc. in /etc/passwd.

> Using everything in the defaults without changing the user file doesn't
> make sense, because that's what we want to use for authentication,
> only, in our case, it'd be on a central server instead of local, but I
> want to get local testing working first, just to make sure I understand
> it all.

  Which is why I said to use the defaults.  If you don't know what it's
doing, then DON'T CHANGE ANTYTHING.  The default configuration WORKS.
Every change you've made has broken it.

> at this point, I don't understand any of it, and yelling at me for doing
> the wrong things isn't helping.

  No, I'm telling you that making random changes won't work.  I'm
telling you that making changes that aren't recommended in the
documentation is not a good idea.  I'm telling you that reading the
documentation and following it's recommendations is a good idea.

> you've seen my configuration files. I don't know how it should work,
> because I have no idea how it should look.

  They should look like the samples.  It's not hard.

> I'd appreciate a little bit of help here, some hints, some sample
> configs, would really really help.

  The sample configurations work.

  However, it's clear that for whatever reason, SSH isn't using PAM,
*or*, PAM isn't using the pam_radius_auth module, *or* the
pam_radius_auth module isn't configured to use the correct RADIUS server.

  As a result, the RADIUS server isn't receiving login requests.  As a
result of that, no amount of fighting with the RADIUS configuration will
help.  So all of the time you put into configuring "Login-Server" was
wasted.

> I mean, if it's even possible to do what we're trying to do.

  Yes.

  I will also note that I asked a number of questions in my last
message, and you haven't answered any of them.  Either you didn't
understand them, or you don't think they're important.

  Part of the reason this is so difficult for you is that you are
fighting every attempt by anyone to help you.  You're stuck on one
particular mind-set that is preventing anyone from helping you, and
preventing you from solving the problem.  Until you give up that
mindset, and let people help you, you won't solve the problem.  You'll
only get more and more frustrated.

  Alan DeKok.



More information about the Freeradius-Users mailing list