ssh cleartext-password "? INCORRECT"
David Ly
dly at somanetworks.com
Tue Nov 18 21:04:12 CET 2008
First of all let me say that I am using:
FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu.
I am trying to configure pam-radius-auth and freeRADIUS to allow
users to ssh into a box and radius will appropriately match their
permissions and etc.
I've come across a problem that I am unable to solve, (I have a little
over two months of experience with linux and even less with RADIUS
and PAM) I have managed to get freeRADIUS running and I can do;
'radtest steve testing localhost 10 testing123'
And i receive;
Access-Accept packet from host 127.0.0.1 port 1812, id=114, length=71
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 172.16.3.33
Framed-IP-Netmask = 255.255.255.0
Framed-Routing = Broadcast-Listen
Filter-Id = "std.ppp"
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Now my problem occurs when I attempt to switch over to
using ssh. I have configures the files;
(The beginning of) /etc/pam.d/sshd
auth required pam_env.so # [1]
auth required pam_env.so envfile=/etc/default/locale
auth sufficient /lib/security/pam_radius_auth.so debug
@include common-auth
...
And the matching shared secret for the server and pam_radius_auth.conf
I've notices something in the logs which i have marked with '****'. Anyhelp
is greatly appreciated.
Here is the relavent part of the log from radiusd -X
Using 'radtest steve testing localhost 10 testing123'
rad_recv: Access-Request packet from host 127.0.0.1 port 58878, id=34,
length=57
User-Name =
"steve"
User-Password =
"testing"
NAS-IP-Address =
127.0.0.1
NAS-Port =
0
+- entering group authorize
{...}
++[preprocess] returns
ok
++[chap] returns
noop
++[mschap] returns
noop
[suffix] No '@' in User-Name = "steve", looking up realm
NULL
[suffix] No such realm
"NULL"
++[suffix] returns
noop
[eap] No EAP-Message, not doing
EAP
++[eap] returns
noop
++[unix] returns
notfound
[files] users: Matched entry steve at line
76
++[files] returns
ok
++[expiration] returns
noop
++[logintime] returns
noop
++[pap] returns
updated
Found Auth-Type =
PAP
+- entering group PAP
{...}
[pap] login attempt with password
"testing"
[pap] Using clear text password
"testing"
[pap] User authenticated
successfully
++[pap] returns
ok
+- entering group post-auth
{...}
++[exec] returns
noop
Sending Access-Accept of id 34 to 127.0.0.1 port
58878
Service-Type =
Framed-User
Framed-Protocol =
PPP
Framed-IP-Address =
172.16.3.33
Framed-IP-Netmask =
255.255.255.0
Framed-Routing =
Broadcast-Listen
Framed-Filter-Id =
"std.ppp"
Framed-MTU =
1500
Framed-Compression =
Van-Jacobson-TCP-IP
Finished request
0.
Going to the next
request
Waking up in 4.9
seconds.
Cleaning up request 0 ID 34 with timestamp
+16
Ready to process requests.
Using 'ssh steve at localhost' password: testing
rad_recv: Access-Request packet from host 127.0.0.1 port 26561, id=106,
length=83
User-Name =
"steve"
User-Password = "\010\n\r\177INCORRECT" ****
NAS-IP-Address =
127.0.0.1
NAS-Identifier =
"sshd"
NAS-Port =
25536
NAS-Port-Type =
Virtual
Service-Type =
Authenticate-Only
Calling-Station-Id =
"wisdur"
+- entering group authorize
{...}
++[preprocess] returns
ok
++[chap] returns
noop
++[mschap] returns
noop
[suffix] No '@' in User-Name = "steve", looking up realm
NULL
[suffix] No such realm
"NULL"
++[suffix] returns
noop
[eap] No EAP-Message, not doing
EAP
++[eap] returns
noop
++[unix] returns
notfound
[files] users: Matched entry steve at line
76
++[files] returns
ok
++[expiration] returns
noop
++[logintime] returns
noop
++[pap] returns
updated
Found Auth-Type =
PAP
+- entering group PAP
{...}
[pap] login attempt with password "? INCORRECT" ****
[pap] Using clear text password "testing"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check
the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> steve
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 106 to 127.0.0.1 port 26561
Waking up in 4.9 seconds.
Cleaning up request 1 ID 106 with timestamp +36
Ready to process requests.
More information about the Freeradius-Users
mailing list