OpenSSH, PAM and pam_radius_auth

tnt at kalik.co.yu tnt at kalik.co.yu
Tue Jan 8 14:00:42 CET 2008


You have posted a question to the freeradius list and included a debug
from - OpenSSH??? Don't you think that freeradius debug would be more
helpful?

Ivan Kalik
Kalik Informatika ISP


Dana 8/1/2008, "Johan Rydberg" <johan.rydberg at edgeware.tv> piše:

>I'm trying to get RADIUS authentication to work on one of our systems,
>but keep running into problems.  For some reason it seems that the
>account system does not allow the user to login, and once the user has
>been authenticated, it drops the connection by not allowing sshd to
>establish credentials for the user.
>
>It seems that OpenSSH first tries to authetnicate the user with an
>empty password (""), because if I set an empty password both in the
>local /etc/passwd, and on the RADIUS server, sshd is able to establish
>credentials for the user.
>
>Note that even with a non-empty password the authentication works,
>the daemon gets and OK from the radius server.  There's a user with that
>given name in /etc/passwd.
>
>Anyone ideas about what could be wrong here?
>
>
>Here's the debug output from OpenSSH:
>
>debug1: userauth-request for user orbit-admin service ssh-connection
>method none
>debug1: attempt 0 failures 0
>debug1: PAM: initializing for "orbit-admin"
>debug1: PAM: setting PAM_RHOST to "192.168.99.111"
>debug1: PAM: setting PAM_TTY to "ssh"
>debug1: userauth_send_banner: sent
>debug1: PAM: password authentication failed for orbit-admin:
>Authentication failure
>Failed none for orbit-admin from 192.168.99.111 port 39102 ssh2
>debug1: userauth-request for user orbit-admin service ssh-connection
>method keyboard-interactive
>debug1: attempt 1 failures 1
>debug1: keyboard-interactive devs
>debug1: auth2_challenge: user=orbit-admin devs=
>debug1: kbdint_alloc: devices 'pam'
>debug1: auth2_challenge_start: trying authentication method 'pam'
>Postponed keyboard-interactive for orbit-admin from 192.168.99.111 port
>39102 ssh2
>debug1: do_pam_account: called
>debug1: PAM: num PAM env strings 0
>Postponed keyboard-interactive/pam for orbit-admin from 192.168.99.111
>port 39102 ssh2
>debug1: do_pam_account: called
>Accepted keyboard-interactive/pam for orbit-admin from 192.168.99.111
>port 39102 ssh2
>debug1: Entering interactive session for SSH2.
>debug1: server_init_dispatch_20
>debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
>debug1: input_session_request
>debug1: channel 0: new [server-session]
>debug1: session_new: init
>debug1: session_new: session 0
>debug1: session_open: channel 0
>debug1: session_open: session 0: link with channel 0
>debug1: server_input_channel_open: confirm session
>debug1: server_input_channel_req: channel 0 request pty-req reply 0
>debug1: session_by_channel: session 0 channel 0
>debug1: session_input_channel_req: session 0 req pty-req
>debug1: Allocating pty.
>debug1: session_pty_req: session 0 alloc /dev/ttyp1
>debug1: server_input_channel_req: channel 0 request env reply 0
>debug1: session_by_channel: session 0 channel 0
>debug1: session_input_channel_req: session 0 req env
>debug1: server_input_channel_req: channel 0 request shell reply 0
>debug1: session_by_channel: session 0 channel 0
>debug1: session_input_channel_req: session 0 req shell
>debug1: PAM: setting PAM_TTY to "/dev/ttyp1"
>debug1: PAM: establishing credentials
>PAM: pam_setcred(): Authentication service cannot retrieve user credentials
>debug1: do_cleanup
>debug1: PAM: cleanup
>debug1: session_pty_cleanup: session 0 release /dev/ttyp1
>
>
>My system-auth file:
>
>auth        sufficient    pam_radius_auth.so debug
>auth        sufficient    pam_unix.so likeauth nullok debug
>auth        required      pam_deny.so
>account     required      pam_unix.so
>password    sufficient    pam_unix.so nullok use_authtok md5
>password    required      pam_deny.so
>session     required      pam_unix.so
>
>
>Versions:
>
>pam_radius-1.3.17
>openssh-4.5p1
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list