SSH - No authenticate method (Auth-Type)

Jaikanth Krishnaswamy jaikanth.krishnaswamy at gmail.com
Wed Feb 23 18:35:58 CET 2011


What I am trying to setup is as follows
1. Oracle Backend for Authenticating SFTP Clients( openssh )

What I have done so far
Setup a  second ssh for the SFTP only
Updated the sshd_config for using PAM.
Request comes to AAA and fails as shown in the logs below.
Also note teh password shows as *"\010\n\r\177INCORRECT"*
The sites-enabled default looks like the following
"
authorize {
       sql
       expiration
       logintime
}
authenticate {

       # I have tried just pam as you have suggested and it still says
No-Auth
        Auth-Type PAM {
                pam
        }
}
preacct {
        preprocess
        acct_unique
        suffix
        files
}
accounting {
        detail
        unix
        radutmp
        exec
        attr_filter.accounting_response
}
session {
        radutmp
}
post-auth {
        sql
}
pre-proxy {
}
post-proxy {
}
"
As requested I am attaching the radiusd -X log
rad_recv: Access-Request packet from host Y.Y.Y.Y port 6975, id=15,
length=114
        User-Name = "test"
        *User-Password = "\010\n\r\177INCORRECT"*
        NAS-IP-Address = Y.Y.Y.Y
        NAS-Identifier = "openssh"
        NAS-Port = 5950
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "somebody"
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
[sql]   expand: %{User-Name} -> test
[sql] sql_set_user escaped user -->test
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE
Username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER
BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql]   expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' -> SELECT GroupName FROM radusergroup WHERE
UserName='test'
[sql]   expand: SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,radusergroup WHERE radusergroup.Username =
'%{SQL-User-Name}' AND radusergroup.GroupName = radgroupcheck.GroupName
ORDER BY radgroupcheck.id -> SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,radusergroup WHERE radusergroup.Username = 'test' AND
radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id
[sql] User found in group SFTP_Client
[sql]   expand: SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,radusergroup WHERE radusergroup.Username =
'%{SQL-User-Name}' AND radusergroup.GroupName = radgroupreply.GroupName
ORDER BY radgroupreply.id -> SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,radusergroup WHERE radusergroup.Username = 'test' AND
radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
  WARNING: Unprintable characters in the password.        Double-check the
shared secret on the server and the NAS!
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 15 to 199.106.120.244 port 6975
        Password == "test"
Waking up in 4.9 seconds.
Cleaning up request 0 ID 15 with timestamp +10
Ready to process requests.


On Thu, Feb 17, 2011 at 5:42 PM, Marc Phillips <rmarc at copacetic.net> wrote:

> > Sending Access-Request of id 58 to X.X.X.X port Y
> >         User-Name = "test"
> >         User-Password = "test"
> >         NAS-IP-Address = X.X.X.X
> >         NAS-Port = Y
> >         Framed-Protocol = PPP
> > rad_recv: Access-Accept packet from host X.X.X.X port Y, id=58, length=38
> > The freeradius is setup with an oracle db backend.
>
> I had something similar with PAM.  What I did is have a user entry like:
>
> DEFAULT Ldap-Group == "mygroup", Auth-Type = pam
>        Reply-Message = "Hello (admin), %{User-Name}",
>        Fall-Through = No
>
> and in my sites-enabled default:
>
> authorize {
>        preprocess
>        auth_log
>        files
>        ldap
> }
>
> authenticate {
>        pam
> }
>
> You'll obviously have some sort of sql auth-type and probably won't
> need the LDAP stuff.
>
> Hope this helps.
>
> R. Marc
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110223/c9c40b9f/attachment.html>


More information about the Freeradius-Users mailing list