Hi, I have problems using pam_radius to authenticate users using our freeradius server. I want to use it with openvpn but tested it with ssh.
The new part of my /etc/pam.d/ssh looks like: # /etc/security/pam_env.conf. auth required pam_env.so # [1] auth sufficient /lib/security/pam_radius_auth.so debug try_first_pass To nail the problem down I added some debug info to pam_radius_auth.c: /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); DPRINT(LOG_DEBUG, "Get password retval: %d, %d", retval, PAM_SUCCESS); PAM_FAIL_CHECK; DPRINT(LOG_DEBUG, "X Got password %s", password); if(password) { password = strdup(password); DPRINT(LOG_DEBUG, "Got password %s", password); } My auth.log file then says: Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Got user name enno Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Get password retval: 0, 0 Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: X Got password (null) Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Sending RADIUS request code 1 Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth: RADIUS server <our_radius_server> failed to respond Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth: All RADIUS servers failed to respond. Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth: authentication failed There seem to be problems connecting to the radius server sometimes, but I think this isn't the problem here. When the connection works, I get radius response code 3 (afair). I'm testing this on the target machine (openvpn server) using "ssh -l enno 127.0.0.1" and some random password (first I tried with the correct password and then started debugging). Looking at the code of pam_radius_auth.c and at the output of auth.log I would say the call to pam seems to not return the AUTHTOK. The call succedes, but the password pointer is NULL. Any ideas? Thanks in advance Enno Gröper
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html