What I am trying to setup is as follows 1. Oracle Backend for Authenticating SFTP Clients( openssh )
What I have done so far Setup a second ssh for the SFTP only Updated the sshd_config for using PAM. Request comes to AAA and fails as shown in the logs below. Also note teh password shows as *"\010\n\r\177INCORRECT"* The sites-enabled default looks like the following " authorize { sql expiration logintime } authenticate { # I have tried just pam as you have suggested and it still says No-Auth Auth-Type PAM { pam } } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp exec attr_filter.accounting_response } session { radutmp } post-auth { sql } pre-proxy { } post-proxy { } " As requested I am attaching the radiusd -X log rad_recv: Access-Request packet from host Y.Y.Y.Y port 6975, id=15, length=114 User-Name = "test" *User-Password = "\010\n\r\177INCORRECT"* NAS-IP-Address = Y.Y.Y.Y NAS-Identifier = "openssh" NAS-Port = 5950 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "somebody" # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} [sql] expand: %{User-Name} -> test [sql] sql_set_user escaped user -->test rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'test' ORDER BY id WARNING: Found User-Password == "...". WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM radusergroup WHERE UserName='test' [sql] expand: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,radusergroup WHERE radusergroup.Username = '%{SQL-User-Name}' AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id -> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,radusergroup WHERE radusergroup.Username = 'test' AND radusergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id [sql] User found in group SFTP_Client [sql] expand: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,radusergroup WHERE radusergroup.Username = '%{SQL-User-Name}' AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id -> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,radusergroup WHERE radusergroup.Username = 'test' AND radusergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 15 to 199.106.120.244 port 6975 Password == "test" Waking up in 4.9 seconds. Cleaning up request 0 ID 15 with timestamp +10 Ready to process requests. On Thu, Feb 17, 2011 at 5:42 PM, Marc Phillips <rm...@copacetic.net> wrote: > > Sending Access-Request of id 58 to X.X.X.X port Y > > User-Name = "test" > > User-Password = "test" > > NAS-IP-Address = X.X.X.X > > NAS-Port = Y > > Framed-Protocol = PPP > > rad_recv: Access-Accept packet from host X.X.X.X port Y, id=58, length=38 > > The freeradius is setup with an oracle db backend. > > I had something similar with PAM. What I did is have a user entry like: > > DEFAULT Ldap-Group == "mygroup", Auth-Type = pam > Reply-Message = "Hello (admin), %{User-Name}", > Fall-Through = No > > and in my sites-enabled default: > > authorize { > preprocess > auth_log > files > ldap > } > > authenticate { > pam > } > > You'll obviously have some sort of sql auth-type and probably won't > need the LDAP stuff. > > Hope this helps. > > R. Marc > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html