SSH auth with FreeRADIUS

Janis Heller janis.heller at outlook.de
Sun Sep 4 21:42:35 CEST 2016 

I would like to use FreeRADIUS to handle all SSH logins to my servers. Of course a „emergency“ login with a user registered on the server should be possible too (in case of RADIUS server is offline etc.).

My /etc/pam.d/sshd looks like:

# PAM configuration for the Secure Shell service

auth       sufficient  pam_radius_auth.so

# Standard Un*x authentication.
#@include common-auth

# Disallow non-root logins when /etc/nologin exists.
#account    required     pam_nologin.so

Now when I try to login as for example user test, the following code is shown at RADIUS debug:

Ready to process requests
(10) Received Access-Request Id 151 from XY to XY:1812 length 90
(10)   User-Name = "test"
(10)   User-Password = "\010\n\r\177INCORRECT"
(10)   NAS-IP-Address = XY
(10)   NAS-Identifier = "sshd"
(10)   NAS-Port = 22688
(10)   NAS-Port-Type = Virtual
(10)   Service-Type = Authenticate-Only
(10)   Calling-Station-Id = „XY"
(10) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(10)   authorize {
rlm_rest (rest): Closing connection (18): Hit idle_timeout, was idle for 151 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): Closing connection (19): Hit idle_timeout, was idle for 151 seconds
rlm_rest (rest): You probably need to lower "min"
rlm_rest (rest): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_rest (rest): Opening additional connection (20), 1 of 32 pending slots used
rlm_rest (rest): Connecting to "http://XY"
rlm_rest (rest): Reserved connection (20)
(10) rest: Expanding URI components
(10) rest: EXPAND http://XY
(10) rest:    --> http://XY
(10) rest: EXPAND /demo/%{User-Name}/%{User-Password}
(10) rest:    --> /demo/test/%08%0A%0D%7FINCORRECT
(10) rest: Sending HTTP GET to "http://XY/demo/test/%08%0A%0D%7FINCORRECT"
(10) rest: Processing response header
(10) rest:   Status : 200 (OK)
(10) rest:   Type   : json (application/json)
(10) rest: Parsing attribute "control:Auth-Type"
(10) rest: EXPAND Reject
(10) rest:    --> Reject
(10) rest: Auth-Type := Reject
rlm_rest (rest): Released connection (20)
rlm_rest (rest): Need 2 more connections to reach 5 spares
rlm_rest (rest): Opening additional connection (21), 1 of 31 pending slots used
rlm_rest (rest): Connecting to "http://XY"
(10)     [rest] = updated
(10)   } # authorize = updated
(10) Found Auth-Type = Reject
(10) Auth-Type = Reject, rejecting user
(10) Failed to authenticate the user
(10) WARNING: Unprintable characters in the password.  Double-check the shared secret on the server and the NAS!


It seems like there is some kind of PAM module running before the RADIUS pam module. Any idea how to get this fixed? Looking into my sshd file of RADIUS I can’t see a pam module running before.

-All the best;

More information about the Freeradius-Users mailing list