Odd behavior on authentication

Philip Prindeville philipp_subx at redfish-solutions.com
Wed Nov 8 18:06:31 UTC 2023


I had a test client (Ubuntu 22.04) set up, and I was running tcpdump on the server (also Ubuntu, running Freeradius 3.0).

I had created a username & password on the Radius server, and if I tried to log into the client with those credentials, it failed.

But as soon as I created a "cut out" on the client (same username, but '*' password in the shadow file), I could log in because the server was no longer rejecting the authorization request.

I don't get it.  How would the server know if there was a local user or not?  Nothing in the messages seems to be different, other than the things you'd expect (the message id, and the random seed that the password gets hashed with).  All other parts of the message looked to be identical.

How was the client conveying to the server that there wasn't a local account present?

Also, I've run "pam-auth-update --enable radius" to get pam_radius_auth.so plugged into the PAM stack, but how do I integrate it into /etc/nsswitch.conf as well?  This is on Ubuntu so I don't have authconfig/authselect which are RedHat only.


More information about the Freeradius-Users mailing list