SSH with Radius on one Server: no password match by authentication over sshd --- password match over NTRadPING
Marius.Meisner
marius.meisner at googlemail.com
Mon Jan 24 01:00:15 CET 2011
Hello,
I'm a freeradius beginner and can't get further by my problem for days -
reading a lot of stuff in dokumentation, books and forums on the net.
Using a debian system with freeradius 2.04 and OpenSSH_5.1p1 Debian-5,
OpenSSL 0.9.8g 19 on it - no NAS or other authenticator is used.
Installed freeradius - everything works fine. On my XP client I run
NTRadPING with radius secret key, user-name and passwort and get
Access-accept response (by chap, by pap - Auth-Type = System;
Cleartext-Password, Auth-Type := Local ...)
Now I installed pam package: apt-get install -y libpam-radius-auth.
make configs (added things are underlined)
*
/etc/pam_radius_auth.conf:*
# server[:port] shared_secret timeout (s)
_127.0.0.1 secret 2_
*/etc/freeradius/clients.conf:*
...
_client 110.110.110.0/24 {
secret = secret
shortname = private-net
}_
...
*/etc/pam.d/sshd*
# PAM configuration for the Secure Shell service
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale
# Standard Un*x authentication.
_auth sufficient pam_radius_auth.so_
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
session optional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so
# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple
# Standard Un*x password updating.
@include common-password
*/etc/freeradius/users*
# #
# DEFAULT
# Service-Type = Administrative-User
# On no match, the user is denied access.
_"test" Cleartext-Password := "123"
"1user" Cleartext-Password := "1user"
Fall-Through = No
"John" Cleartext-Password := "123"
Reply-Message = "Hello, %{User-Name}"
"will" Auth-Type = Accept
"lameuser" Auth-Type := Reject
Reply-Message = "Your account has been disabled."
"mike" Auth-Type := Local, User-Password := "mike"
"33user" Auth-Type = System
Reply-Message = "Hello, %{User-Name}! Dein Passwort kommt aus
shadow",
Fall-Through = Yes_
To test secure shell session I took a system account with has no entries
in the freeradius users-file. The user can log in, but
radius-authentication failed.
rad_recv: Access-Request packet from host 127.0.0.1 port 5572, id=176,
length=89
User-Name = "user"
User-Password = "j\205[\022\245\343/X\231\330R@\342\324\023="
NAS-IP-Address = 10.10.10.11
NAS-Identifier = "sshd"
NAS-Port = 4547
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "10.10.10.200"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "user", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type "PAP"
+- entering group PAP
rlm_pap: login attempt with password "j?[?¥ã/X?ØR@âÔ?="
rlm_pap: Using CRYPT encryption.
rlm_pap: *Passwords don't match*
++[pap] returns reject
*auth: Failed to validate the user.*
*Login incorrect* (rlm_pap: CRYPT password check failed):
[user/j\205[\022\245\343/X\231\330R@\342\324\023=] (from client
localhost port 4547 cli 10.10.10.200)
WARNING: Unprintable characters in the password. Double-check
the shared secret on the server and the NAS!
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 176 to 127.0.0.1 port 5572
Waking up in 4.9 seconds.
An other example with a non system-account "will" and Auth-Type = Accept
passes radius authentication, but this is not what I want to have.
rad_recv: Access-Request packet from host 127.0.0.1 port 5564, id=142,
length=89
User-Name = "will"
User-Password = "\354-YbQ\367\036\033\034\232\262I\260\327\322\013"
NAS-IP-Address = 10.10.10.11
NAS-Identifier = "sshd"
NAS-Port = 4539
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "10.10.10.200"
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "will", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry will at line 212
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type Accept
rad_check_password: Auth-Type = Accept, accepting the user
Login OK: [will/\354-YbQ\367\036\033\034\232\262I\260\327\322\013] (from
client localhost port 4539 cli 10.10.10.200)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 142 to 127.0.0.1 port 5564
Finished request 2.
Going to the next request
Waking up in 5.0 seconds.
Cleaning up request 2 ID 142 with timestamp +118
Ready to process requests.
The shared_secret in clients.conf and pam_radius_auth.conf are the same,
and there are no spaces. perhaps it may be a problem with the tool puTTy
(for manageing ssh-sessions) - here I can't find any location to place
the shared_secret from the two files. But if I had changed
system-authentication instead of sshd, there is the same problem with
the diffrent passwords - and I'm sure they are written right.
Any suggestions? Any hinds are welcome.
Greets MM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110124/df3d8c0e/attachment.html>
More information about the Freeradius-Users
mailing list