Linux PAM Authentication failed: Non-Local users

Anand Neeli anand.neeli at gmail.com
Thu Jun 29 15:48:51 CEST 2017 

Hello,

I'm sure my query might have already been discussed.

But couldnt search the mailing list. Can anyone please show pointers
or answer this?
I'm trying to perform Radius based authentication of any guest user
using Linux PAM module 1.0

As radius client, pam_radius-1.3.17 plugin is used and freeradius
server is used as Radius Server.
I have performed the Radius client and server configurations according
to the guidelines.


I added the radius entry in /etc/pam.d/sshd:
      #%PAM-1.0
       auth       sufficient  /lib/security/pam_radius_auth.so debug


While i am trying of perform authentication of users, following are
the outcomes depending upon user (trying to login) is locally
configured or not.

Users are trying to log-in via ssh. Both Users A and B are configured
in Radius Server

 1.  If user A (locally configured in Linux M/C) tries to login, then
Linux PAM gets the user/password information and send it to radius
server. Radius Server authenticates the user/password in its database
and sends successful acknowledgement to linux m/c. User is allowed to
login.
 2.  If user B (not configured in Linux M/C) login, then
Authentication is being rejected by Radius Server. Radius Server logs
are showing that password in either malformed/incorrect

*********************************************************************************************************************************************************************************************************************
Radius Server Logs:

rad_recv: Access-Request packet from host 127.0.0.1:27138, id=117, length=91
        User-Name = "abcd"
        User-Password = "\010\n\INCORRECT"
        NAS-IP-Address = 172.21.142.4
        NAS-Identifier = "linux"
        NAS-Port = 26113
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "172.21.142.140"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "abcd", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 0
  modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [abcd/\010\n\INCORRECT] (from client localhost port
26113 cli 172.21.142.140)
  WARNING: Unprintable characters in the password. ?  Double-check the
shared secret on the server and the NAS!


*********************************************************************************************************************************************************************************************************************

SSHD Logs:

May 27 13:14:07 localho sshd[26113]: debug1: PAM: initializing for "abcd"
May 27 13:14:07 localho sshd[26113]: debug1: PAM: setting PAM_RHOST to
"172.21.142.140"
May 27 13:14:07 localho sshd[26113]: debug1: PAM: setting PAM_TTY to "ssh"
May 27 13:14:09 localho sshd[26113]: pam_radius_auth: Got user name abcd
May 27 13:14:09 localho sshd[26113]: pam_radius_auth: Sending RADIUS
request code 1
May 27 13:14:09 localho sshd[26113]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned -1768845152.
May 27 13:14:10 localho sshd[26113]: pam_radius_auth: RADIUS server
127.0.0.1 failed to respond
May 27 13:14:10 localho sshd[26113]: pam_radius_auth: All RADIUS
servers failed to respond.
May 27 13:14:10 localho sshd[26113]: pam_radius_auth: authentication failed
May 27 13:14:10 localho sshd(pam_unix)[26113]: check pass; user unknown
May 27 13:14:10 localho sshd(pam_unix)[26113]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.142.140
May 27 13:14:13 localho sshd[26113]: debug1: PAM: password
authentication failed for an illegal user: Authentication failure
May 27 13:14:13 localho sshd[26113]: Failed password for invalid user
abcd from ::ffff:172.21.142.140 port 36124 ssh2

*********************************************************************************************************************************************************************************************************************

After reading through couple of forums, i got the hint this is the way
PAM works.
Linux PAM has restriction to have user-id configured locally on Linux
M/C for successful Radius Authentication

But if we have the case of thousands of guest users, then it is not
possible to add every user in machine itself.

I am willing to know:

 1.  Is this is the way how PAM works. Is this limitation is present in PAM
 2.  I am using Linux PAM 1.0. Is there any patch/fix available in
higher version of PAM?
 3.  Is there any way to overcome this issue by using some other
libpam-radius-auth plugin. Though i do not think it is Radius client
plugin issue.

It will be really helpful if you can help/suggest me in this regards.

Regards,

Anand Neeli

More information about the Freeradius-Users mailing list