Hi, I was trying to find a PAM-Radius mailing list and it seems that this is the best one.
A Ubuntu 7.4 box needs to be configured such that SSH users will be authenticated against an external FreeRadius server. FreeRadius server version is 1.1.7-1build4. The Ubuntu box uses OpenSSH 4.3-p2 and /etc/ssh/sshd_config is set to "UsePAM yes". I downloaded PAM_Radius 1.3.17. Below is the procedure that I use Radius to authenticate a user in /etc/passwd (/etc/shadow doesn't have the password for that user). 1. FreeRadius server configures its clients.conf and user file to include a new user called "test1". 2. On my Ubuntu 7.4 box, add a user with command "useradd" to add a user "test1" but don't set a password. So the user "test1" on the Ubuntu box will be inactive. 3. Configure /etc/pam.d/ssh on the Ubuntu box to use "auth sufficient pam_radius_auth.so" 4. Also update the /etc/raddb/server on the Ubuntu box to point to the remote Radius server IP. 5. Try ssh te...@ubuntu box and it worked. Also monitored the Free Radius logging and it did show that the Access-Request packets went to Radius server. So step 1-5 worked well for me. Note that at step 2, the user account to be authenticated is added to /etc/passwd. The issue is: if step 2 is omitted, SSH login will fail. ACCESS_REQUEST packets with INCORRECT password were even sent to the Radius server. Further troubleshooting showed that PAM_Radius module got a bad password from PAM. I did some research from the website and some emails dated in 2006 said that PAM_Radius can only authenticate user accounts in /etc/passwd file. Is that right? Many thanks in advance, Feng
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html