How to do FreeRADIUS understand the ssh encrypted password that is passed?
Kalil de A. Carvalho
kalilac at gmail.com
Thu Jul 27 21:27:46 CEST 2017
Thanks for your replay.
Here the parts of debug output that it is important, I think:
"My *guess* is that the SSH session is set up to use PAM. And that PAM is
mangling to the password to "invalid" or some such string." <- you ware
Received Access-Request Id 51 from IP_SOURCE:10722 to SERVER_RADIUS:1812
User-Name = 'bo01'
User-Password = '\010\n\r\177INCORRECT'
NAS-IP-Address = 127.0.1.1
NAS-Identifier = 'sshd'
NAS-Port = 9697
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 'CLIENT_TEST'
Here is just show that the ldap search is working fine:
User found. Comparison between membership: name (resolved from DN), check:
Here is the resolt of password confrontation:
(2) ERROR: ldap : Bind credentials incorrect: Invalid credentials
(2) ERROR: ldap : Server said: 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1.
On Thu, Jul 27, 2017 at 2:55 PM, Alan DeKok <aland at deployingradius.com>
> On Jul 27, 2017, at 1:22 PM, Kalil de A. Carvalho <kalilac at gmail.com>
> > I have my enviroment working fine for telnet access, my FreeRADIUS server
> > is doing the user search on LDAP with no problem but, when I use any ssh
> > session is passed a encryped password that RADIUS
> What does that mean?
> It's almost always best to post the actual debug output. That is much
> clearer than vague descriptions.
> > try to use with LDAP
> > database, found the user but the password is considered wrong and regect
> > access.
> My *guess* is that the SSH session is set up to use PAM. And that PAM
> is mangling to the password to "invalid" or some such string.
> Again, reading the debug output would show you this.
> > I searched for configuration and what I saw it is very similar whith I
> > here. The unic diference is that I am using a EdgeRouter Lite but I am
> > folling the documentation and using the GUI tool.
> > Can any one help me?
> Post the debug output as suggested in the "man" page, FAQ, web pages,
> and daily on this list.
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
Kalil de A. Carvalho
More information about the Freeradius-Users