OpenSSH, PAM and pam_radius_auth

Sobanbabu Bakthavathsalu Sobanbabu_B at infosys.com
Tue Jan 8 15:13:06 CET 2008 

Hi Johan,

Its good to hear that you reached up a level where Radius is working fine. But we are unable to break the jinx, and I am getting the following error when trying to telnet to the box. The installation and configuration of pam radius module went fine. Could you please help in this regards.

Error we are getting
Jan  8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Fai
led looking up IP address for RADIUS server radius1 (errcode=12)
Jan  8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Fai
led looking up IP address for RADIUS server 10.213.31.186 (errcode=12)
Jan  8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: All
 RADIUS servers failed to respond.

I dont see any other debug messages apart from the above msg available in the /var/adm/messages

Thank you
Regards
Sobanbabu Bakthavathsalu
________________________________________
From: freeradius-users-bounces+sobanbabu_b=infosys.com at lists.freeradius.org [freeradius-users-bounces+sobanbabu_b=infosys.com at lists.freeradius.org] On Behalf Of Johan Rydberg [johan.rydberg at edgeware.tv]
Sent: 08 January 2008 12:43
To: freeradius-users at lists.freeradius.org; pam-list at redhat.com
Subject: OpenSSH, PAM and pam_radius_auth

I'm trying to get RADIUS authentication to work on one of our systems,
but keep running into problems.  For some reason it seems that the
account system does not allow the user to login, and once the user has
been authenticated, it drops the connection by not allowing sshd to
establish credentials for the user.

It seems that OpenSSH first tries to authetnicate the user with an
empty password (""), because if I set an empty password both in the
local /etc/passwd, and on the RADIUS server, sshd is able to establish
credentials for the user.

Note that even with a non-empty password the authentication works,
the daemon gets and OK from the radius server.  There's a user with that
given name in /etc/passwd.

Anyone ideas about what could be wrong here?


Here's the debug output from OpenSSH:

debug1: userauth-request for user orbit-admin service ssh-connection
method none
debug1: attempt 0 failures 0
debug1: PAM: initializing for "orbit-admin"
debug1: PAM: setting PAM_RHOST to "192.168.99.111"
debug1: PAM: setting PAM_TTY to "ssh"
debug1: userauth_send_banner: sent
debug1: PAM: password authentication failed for orbit-admin:
Authentication failure
Failed none for orbit-admin from 192.168.99.111 port 39102 ssh2
debug1: userauth-request for user orbit-admin service ssh-connection
method keyboard-interactive
debug1: attempt 1 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=orbit-admin devs=
debug1: kbdint_alloc: devices 'pam'
debug1: auth2_challenge_start: trying authentication method 'pam'
Postponed keyboard-interactive for orbit-admin from 192.168.99.111 port
39102 ssh2
debug1: do_pam_account: called
debug1: PAM: num PAM env strings 0
Postponed keyboard-interactive/pam for orbit-admin from 192.168.99.111
port 39102 ssh2
debug1: do_pam_account: called
Accepted keyboard-interactive/pam for orbit-admin from 192.168.99.111
port 39102 ssh2
debug1: Entering interactive session for SSH2.
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/ttyp1
debug1: server_input_channel_req: channel 0 request env reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req env
debug1: server_input_channel_req: channel 0 request shell reply 0
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: PAM: setting PAM_TTY to "/dev/ttyp1"
debug1: PAM: establishing credentials
PAM: pam_setcred(): Authentication service cannot retrieve user credentials
debug1: do_cleanup
debug1: PAM: cleanup
debug1: session_pty_cleanup: session 0 release /dev/ttyp1


My system-auth file:

auth        sufficient    pam_radius_auth.so debug
auth        sufficient    pam_unix.so likeauth nullok debug
auth        required      pam_deny.so
account     required      pam_unix.so
password    sufficient    pam_unix.so nullok use_authtok md5
password    required      pam_deny.so
session     required      pam_unix.so


Versions:

pam_radius-1.3.17
openssh-4.5p1
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

**************** CAUTION - Disclaimer *****************
This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system.
***INFOSYS******** End of Disclaimer ********INFOSYS***

More information about the Freeradius-Users mailing list