Authentication against the Unix password database?

Stefan Bruda stefan at bruda.ca
Wed Oct 18 17:34:34 CEST 2017


Hello,

I am running freeradius-3.0.14 (stable Gentoo, USE="pam python
readline ssl -debug (-firebird) -iodbc -kerberos -ldap -mysql -odbc
-oracle -pcap -postgres -sqlite").

I would like my radius server to authenticate users against the Unix
 password database.  Direct authentication is preferred but PAM
 authentication will do just as well.

With the 2.x version I succeeded in doing this by forcing Auth-Type =
System in the users file and using the "unix" module, but this no
longer works (apparently justifiably so) in the 3.x version.

Now I have the following for my default site:

authorize {
...
        unix
#       files
...
}
authenticate {
...
        pam
...
}

I then get the following somehow puzzling result (with a certified
valid Unix user name and password):

(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2)   authorize {
...
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "<del>", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: No EAP-Message, not doing EAP
(2)     [eap] = noop
(2)     [unix] = notfound
(2)     [expiration] = noop
(2)     [logintime] = noop
(2) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(2) pap: WARNING: Authentication will fail unless a "known good" password is available
(2)     [pap] = noop
(2)   } # authorize = ok
(2) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

What I am puzzled about is the "notfound" result provided by the unix module.

Next I tried to do PAM authentication by uncommenting the "files" line
in the authorize section and forcing "Auth-Type = Pam" in the users
file.  This one at least communicates with the PAM system:

(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
...
(0)     [unix] = notfound
(0) files: users: Matched entry DEFAULT at line 7
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user.  Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0)     [pap] = noop
(0)   } # authorize = ok
(0) Found Auth-Type = pam
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0) pam: Using pamauth string "radiusd" for pam.conf lookup
(0) pam: ERROR: pam_authenticate failed: Authentication failure
(0)     [pam] = reject
(0)   } # authenticate = reject
(0) Failed to authenticate the user

I get the following in the logs (login name redacted):

Oct 18 10:23:40 localhost unix_chkpwd[26318]: check pass; user unknown
Oct 18 10:23:40 localhost unix_chkpwd[26319]: check pass; user unknown
Oct 18 10:23:40 localhost unix_chkpwd[26319]: password check failed for user (<del>)
Oct 18 10:23:40 localhost radiusd: pam_unix(radiusd:auth): authentication failure; logname=<del> uid=107 euid=107 tty= ruser= rhost=  user=<del>

The file /etc/pam.d/radius looks fine to me:

auth    include         system-auth
account include         system-auth
password        include         system-auth
session include         system-auth

PAM authentication works well with my other subsystems (e.g., sshd).

Should more information be needed just ask.

If anybody have any idea about what I am doing wrong I would very much
appreciate to hear about it.  Many thanks in advance!

Best regards,
Stefan


More information about the Freeradius-Users mailing list