WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!

Narender Yadav narender.yadav at mojonetworks.com
Fri Dec 30 06:40:11 CET 2016 

Thanks for the quick response Adam.

Regarding password, it is always "\010\n\r\177INCORRECT ". I have tried with
passwords i.e. 'abc123', 'welcome', 'test123'.

On NAS side, I am using http://freeradius.org/pam_radius_auth/ and below is
the /etc/pam.d/sshd file details:

-------------------------------------------------------------------------------------------------------------
#%PAM-1.0
auth       sufficient   pam_radius_auth.so
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    sufficient   pam_radius_auth.so debug conf=/etc/raddb/server
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
-------------------------------------------------------------------------------------------------------------

Please let me know if you need any further details of NAS.

Regards,
Narender


-----Original Message-----
From: Freeradius-Users
[mailto:freeradius-users-bounces+narender.yadav=mojonetworks.com at lists.freeradius.org]
On Behalf Of Adam Bishop
Sent: Thursday, December 29, 2016 8:27 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: WARNING: Unprintable characters in the password. Double-check
the shared secret on the server and the NAS!

On 29 Dec 2016, at 13:22, Narender Yadav <narender.yadav at mojonetworks.com>
wrote:
> (1)   User-Password = "\010\n\r\177INCORRECT"

I'm making the assumption that you're trying to log into the NAS with U:
"test" / P: "INCORRECT"), as you haven't mentioned it.

If you're really certain that the shared secrets match, then your NAS is
broken and appears to be prepending junk to the password.

Specifically, "back space, line feed, carriage return, forward delete".

The NAS either needs to be fixed, or you need to do some preprocessing with
FreeRADIUS.

If the junk is consistent, you can write a regex to ignore the first 4 bytes
of the password.

Regards,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company number
2881024, VAT number GB 197 0632 86. The registered office is: One Castle
Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list