Authentication against the Unix password database?
Stefan Bruda
stefan at bruda.ca
Wed Oct 18 17:34:34 CEST 2017
Hello,
I am running freeradius-3.0.14 (stable Gentoo, USE="pam python
readline ssl -debug (-firebird) -iodbc -kerberos -ldap -mysql -odbc
-oracle -pcap -postgres -sqlite").
I would like my radius server to authenticate users against the Unix
password database. Direct authentication is preferred but PAM
authentication will do just as well.
With the 2.x version I succeeded in doing this by forcing Auth-Type =
System in the users file and using the "unix" module, but this no
longer works (apparently justifiably so) in the 3.x version.
Now I have the following for my default site:
authorize {
...
unix
# files
...
}
authenticate {
...
pam
...
}
I then get the following somehow puzzling result (with a certified
valid Unix user name and password):
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
...
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "<del>", looking up realm NULL
(2) suffix: No such realm "NULL"
(2) [suffix] = noop
(2) eap: No EAP-Message, not doing EAP
(2) [eap] = noop
(2) [unix] = notfound
(2) [expiration] = noop
(2) [logintime] = noop
(2) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(2) pap: WARNING: Authentication will fail unless a "known good" password is available
(2) [pap] = noop
(2) } # authorize = ok
(2) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
What I am puzzled about is the "notfound" result provided by the unix module.
Next I tried to do PAM authentication by uncommenting the "files" line
in the authorize section and forcing "Auth-Type = Pam" in the users
file. This one at least communicates with the PAM system:
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
...
(0) [unix] = notfound
(0) files: users: Matched entry DEFAULT at line 7
(0) [files] = ok
(0) [expiration] = noop
(0) [logintime] = noop
(0) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type
(0) pap: WARNING: Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = pam
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) pam: Using pamauth string "radiusd" for pam.conf lookup
(0) pam: ERROR: pam_authenticate failed: Authentication failure
(0) [pam] = reject
(0) } # authenticate = reject
(0) Failed to authenticate the user
I get the following in the logs (login name redacted):
Oct 18 10:23:40 localhost unix_chkpwd[26318]: check pass; user unknown
Oct 18 10:23:40 localhost unix_chkpwd[26319]: check pass; user unknown
Oct 18 10:23:40 localhost unix_chkpwd[26319]: password check failed for user (<del>)
Oct 18 10:23:40 localhost radiusd: pam_unix(radiusd:auth): authentication failure; logname=<del> uid=107 euid=107 tty= ruser= rhost= user=<del>
The file /etc/pam.d/radius looks fine to me:
auth include system-auth
account include system-auth
password include system-auth
session include system-auth
PAM authentication works well with my other subsystems (e.g., sshd).
Should more information be needed just ask.
If anybody have any idea about what I am doing wrong I would very much
appreciate to hear about it. Many thanks in advance!
Best regards,
Stefan
More information about the Freeradius-Users
mailing list