pam_auth_radius

acarwile alan at carwiles.com
Mon May 16 18:35:30 CEST 2011


To help others (like us) who hit this issue...

R. Marc posted:
> Yeah, figured that; just trying to figure out why.
> and yes, it's sshd:
> 
> # strings /usr/sbin/sshd | grep INC
> INCORRECT
> 
> >   As a suggestion, if there are 5-6 pieces of software involved in
> > authentication, don't immediately jump to blaming the PAM radius module.
> 
> Not blaming, just trying to solve a problem.

In our case, sshd_config had an "AllowUsers <blah>" directive to allow only
one specific user to login via SSH.  For a different username, that
directive causes the otherwise correct password to be changed to the value
"INCORRECT".  That is then passed on to the PAM module and pam_auth_radius
sends that INCORRECT password to the RADIUS server, which appropriately
denies access.

Removing the AllowUsers line allowed ssh logins to succeed in the
appropriate cases.  If you make the same change, but wish to block some
users (e.g., root) from ssh login, be sure to verify that behavior.  In our
case no further changes were needed.

Alan Carwile


--
View this message in context: http://freeradius.1045715.n5.nabble.com/pam-auth-radius-tp3388722p4400923.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.



More information about the Freeradius-Users mailing list