libpam-radius-auth password problem
Fabio Pedretti
fabio.pedretti at ing.unibs.it
Tue Mar 18 18:26:07 CET 2008
I am trying to configure a linux machine (Ubuntu 8.04 alpha, 32 bit) with radius authentication using libpam-radius-auth.
I installed freeradius-2.0.3 (from selfbuilded deb package) on the same machine and added this line at the top of users file:
testuser Cleartext-Password := "testing"
Then I installed
libpam-radius-auth 1.3.17-0ubuntu1
from the ubuntu repositories.
I added the radius entry in /etc/pam.d/sshd:
[...]
auth required pam_env.so envfile=/etc/default/locale
auth sufficient pam_radius_auth.so debug
# Standard Un*x authentication.
@include common-auth
[...]
and this on pam_radius_auth.conf:
# server[:port] shared_secret timeout (s)
127.0.0.1 testing123 1
When I try to authenticate with ssh into the machine I noticed that freeradius receive this password "\010\n\r\177INCORRECT", that it's not the one I typed.
This is the output of auth.log:
Mar 18 18:05:59 test sshd[2533]: pam_radius_auth: Got user name testuser
Mar 18 18:05:59 test sshd[2533]: pam_radius_auth: Sending RADIUS request code 1
Mar 18 18:05:59 test sshd[2533]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -1211761632.
Mar 18 18:06:00 test sshd[2533]: pam_radius_auth: RADIUS server 127.0.0.1 failed to respond
Mar 18 18:06:00 test sshd[2533]: pam_radius_auth: All RADIUS servers failed to respond.
Mar 18 18:06:00 test sshd[2533]: pam_radius_auth: authentication failed
Mar 18 18:06:00 test sshd[2533]: pam_unix(sshd:auth): check pass; user unknown
Mar 18 18:06:00 test sshd[2533]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=fabio-mac.local
Mar 18 18:06:02 test sshd[2533]: Failed password for invalid user testuser from 10.33.4.8 port 57680 ssh2
This is the output of freeradius -X
rad_recv: Access-Request packet from host 127.0.0.1 port 3558, id=65, length=93
User-Name = "testuser"
User-Password = "\010\n\r\177INCORRECT"
NAS-IP-Address = 127.0.1.1
NAS-Identifier = "sshd"
NAS-Port = 2533
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "fabio-mac.local"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry testuser at line 50
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "? INCORRECT"
rlm_pap: Using clear text password "testing"
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CLEAR TEXT password check failed): [testuser/\010\n\r\177INCORRECT] (from client localhost port 2533 cli fabio-mac.local)
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 65 to 127.0.0.1 port 3558
Waking up in 4.9 seconds.
Cleaning up request 2 ID 65 with timestamp +135
Ready to process requests.
Testig with radtest works fine.
I noticed a similar problem some time ago, that seemed to be related to 64 bit machines:
http://lists.cistron.nl/pipermail/freeradius-users/2006-August/055877.html
However I am using a 32 bit machine on an updated system. Where could be the problem?
Thanks,
Fabio
More information about the Freeradius-Users
mailing list