Odd behavior on authentication

Wed Nov 8 19:31:37 UTC 2023

On Nov 8, 2023, at 7:06 PM, Philip Prindeville <philipp_subx at redfish-solutions.com> wrote:
> I had a test client (Ubuntu 22.04) set up, and I was running tcpdump on the server (also Ubuntu, running Freeradius 3.0).
> 
> I had created a username & password on the Radius server, and if I tried to log into the client with those credentials, it failed.
> 
> But as soon as I created a "cut out" on the client (same username, but '*' password in the shadow file), I could log in because the server was no longer rejecting the authorization request.
> 
> I don't get it.  How would the server know if there was a local user or not?

  There is debug output.  Read it.

  http://wiki.freeradius.org/list-help

>  Nothing in the messages seems to be different, other than the things you'd expect (the message id, and the random seed that the password gets hashed with).  All other parts of the message looked to be identical.
> 
> How was the client conveying to the server that there wasn't a local account present?

  You're carefully avoiding the only thing which will help you find out what's going on:  the debug output.

  *All* of the documentation says to run the server in debug mode.  It's the only way to understand issues, and fix them.

> Also, I've run "pam-auth-update --enable radius" to get pam_radius_auth.so plugged into the PAM stack, but how do I integrate it into /etc/nsswitch.conf as well?  This is on Ubuntu so I don't have authconfig/authselect which are RedHat only.

  Ask the PAM people how PAM / nsswitch.conf works.  This isn't a FreeRADIUS issue.

  Alan DeKok.