Re: FreeRadius, SQL, PAM, and Headaches
I got it to work from the command line. Now I can run radtest from the test workstation and it successfully connects to the server and authenticates the username and password. I’m still having trouble with the pam_radius_auth module though. More to the point, I’m having trouble with PAM. Here are the contents of the important files (what I think are relevant files): /etc/pam.d/sshd (on workstation):#%PAM-1.0auth sufficient /lib/security/pam_radius_auth.so debugauth required /lib/security/pam_stack.so service=system-authauth required /lib/security/pam_nologin.soaccount required /lib/security/pam_stack.so service=system-authpassword sufficient /lib/security/pam_radius_auth.so debugpassword required /lib/security/pam_stack.so service=system-authsession required /lib/security/pam_stack.so service=system-authsession required /lib/security/pam_limits.sosession optional /lib/security/pam_console.so /etc/pam.d/system-auth (on workstation):#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required /lib/security/pam_env.soauth sufficient /lib/security/pam_unix.so likeauth nullokauth required /lib/security/pam_deny.soaccount required /lib/security/pam_unix.sopassword required /lib/security/pam_cracklib.so retry=3 type=password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadowpassword required /lib/security/pam_deny.sosession required /lib/security/pam_limits.sosession required /lib/security/pam_unix.so /etc/raddb/server (on workstation) file only has:servername:1645 testsecret 3 If anyone has any ideas on what could be wrong, let me know. Shannon Alan, =20 I finally figured out what my problem was with the Freeradius servercommunicating to the SQL database, and I got that up and working (fromthe localhost). Thank you everybody for all your help. :-) =20 Now I'm trying to figure out how to get my workstations to communicatewith the server. I'm running Red Hat 8, which has a slightly differentPAM setup than previous versions. From my rather limited understandingof PAM, it looks like almost every application refers back to/etc/pam.d/system-auth to authenticate. I tried adding the line "authsufficient /lib/security/pam_radius_auth.so" into sshd, but it doesn'twork. It gives me a protocol error. The FreeRadius server never evengets the request, so it must be something to do with PAM or the clientsetup. I tried running radtest from the client command line, but thatalso never gets to the server (or doesn't show up when it's in debugmode). After I get that working, I would like it to map a coupledirectories via NFS (or something more secure, if possible). Any ideas? =20 Shannon
RE: mysql auth
Duane, They're in radcheck. It should be: Id number, username, attribute, op, value Where the attribute is the actual word "Password" the op is "==" and the value is whatever the password is for the user. Shannon Message: 9 From: "Duane Barnes" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: mysql auth Date: Tue, 21 Jan 2003 08:51:34 -0500 Reply-To: [EMAIL PROTECTED] This is a multi-part message in MIME format. --=_NextPart_000_000A_01C2C12A.4D3B14E0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Does anyone know which table the passwords for the users are stored in? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius, SQL, PAM, and Headaches
Alan, I finally figured out what my problem was with the Freeradius server communicating to the SQL database, and I got that up and working (from the localhost). Thank you everybody for all your help. :-) Now I’m trying to figure out how to get my workstations to communicate with the server. I’m running Red Hat 8, which has a slightly different PAM setup than previous versions. From my rather limited understanding of PAM, it looks like almost every application refers back to /etc/pam.d/system-auth to authenticate. I tried adding the line “auth sufficient /lib/security/pam_radius_auth.so” into sshd, but it doesn’t work. It gives me a protocol error. The FreeRadius server never even gets the request, so it must be something to do with PAM or the client setup. I tried running radtest from the client command line, but that also never gets to the server (or doesn’t show up when it’s in debug mode). After I get that working, I would like it to map a couple directories via NFS (or something more secure, if possible). Any ideas? Shannon
Re: Re: Re: SQL Authorization / Authentication
Alan, My users file isn’t very large. I’m not going to pretend to know what most of this means, but suffice it to say that I don’t have any dial-in users, so I’m not sure that the PPP, CSLIP, or SLIP parts apply. If they don’t, should I comment them out? Also, I don’t think the Default Auth-type should be System, but I didn’t see any other option, besides Reject. Is there an SQL option? The contents of my /etc/raddb/users file are as follows: DEFAULT Auth-Type := System Fall-Through = Yes DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP Shannon "Shannon Johnson" <[EMAIL PROTECTED]> wrote:> That's what I thought, but the definition of Authorization and> Authentication got me a little confused. New question now..> rlm_sql (sql): User not found in radgroupcheck> rlm_sql (sql): User not found> rlm_sql (sql): Released sql socket id: 2> modcall[authorize]: module "sql" returns notfound...> From what I can tell, it's not passing the username (or password, for> that matter) to the SQL database. Would that be a correct assumption? If> so, do you have any suggestions on what to do to fix? Look through the SQL configuration, seeing why the user doesn'tmatch. I'd suggest debugging it with the 'users' file first, though. Getthe config working for the user, and then move it over to SQL. Thatway you're tracking down one problem at a time. Alan DeKok.
Re: Re: SQL Authorization / Authentication
Alan, That’s what I thought, but the definition of Authorization and Authentication got me a little confused. New question now... I have the MySQL database set up with a test account (username test, password test). When I run “radiusd –xxp 1645” and try “radtest test test localhost:1645 0 testing”, it gives me a bunch of stuff, but the part that stands out is the following: rad_recv: Access-Request packet from host 130.203.224.111:32769, id=167, length=56Thread 2 assigned request 1--- Walking the entire request list ---Threads: total/active/spare threads = 5/1/4Waking up in 5 seconds...Thread 2 handling request 1, (1 handled so far) User-Name = "test" User-Password = "test" NAS-IP-Address = 255.255.255.255 NAS-Port = 0modcall: entering group authorize modcall[authorize]: module "preprocess" returns okrlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "mschap" returns notfound rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noopradius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '' ORDER BY id'rlm_sql (sql): Reserving sql socket id: 2rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '' ORDER BY idrlm_sql (sql): User not found in radcheckradius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.idradius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.idrlm_sql (sql): User not found in radgroupcheckrlm_sql (sql): User not foundrlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module "sql" returns notfound users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns okmodcall: group authorize returns ok rad_check_password: Found Auth-Type System From what I can tell, it’s not passing the username (or password, for that matter) to the SQL database. Would that be a correct assumption? If so, do you have any suggestions on what to do to fix? Thanks for your help! ShannonShannon Johnson" <[EMAIL PROTECTED]> wrote:> I need this radius server to authenticate / authorize (still a> little hazy on the difference) console and ssh access to 10> workstations. The requests would come in to the workstation, get> routed to the server via a pam module, hit the freeradius server,> verify the username and password in the database, and let the person> on if their info is correct. First question, is this possible? For username/password verification, yes. They'll still have to getuid/gid/shell from somewhere, though. > I just got done reading about the differences between authorization> and authentication, and from what I gather, freeradius can't do> authentication to an SQL database. Is that correct? Yes. It won't try to log users into an SQL database. > Ideally, what I would like, is to have a database holding all the> usernames and passwords (holding in clear text, but transmitting> encrypted, if that matters). Can I do that with freeradius? Yes. That's storing the username/password in SQL, and lettingFreeRADIUS use trhat information to authenticate them. Alan DeKok.
SQL Authorization / Authentication
I got the radius server talking to the sql database finally (thanks Nick). I now have another question. I need this radius server to authenticate / authorize (still a little hazy on the difference) console and ssh access to 10 workstations. The requests would come in to the workstation, get routed to the server via a pam module, hit the freeradius server, verify the username and password in the database, and let the person on if their info is correct. First question, is this possible? I just got done reading about the differences between authorization and authentication, and from what I gather, freeradius can't do authentication to an SQL database. Is that correct? Ideally, what I would like, is to have a database holding all the usernames and passwords (holding in clear text, but transmitting encrypted, if that matters). Can I do that with freeradius? Shannon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
re: re: rlm_sql errors
> Nick,> > > Which options should I pass? I install all the MySQL parts (including> > devel) to their default places... the configuring and the compiling don't> > give me any errors, so I'm assuming it found mysql and enabled support for> > it.>> --with-mysql-include-dir=DIR Directory where the MySQL includes can be > found> --with-mysql-lib-dir=DIR Directory where the MySQL libraries can be > found> --with-mysql-dir=DIR Base directory where MySQL is installed> --with-thread-pool Use a pool of threads for high-load systems. > (default=no) ***very important to turn on***> --localstatedir=/var Directory for logfiles [LOCALSTATEDIR/log]> I tried that... what I don’t know is WHAT libraries it’s looking for. Rather than saying “it’s looking for the mysql libraries”, which I already know, can you list the file names? > Here is what I use on a debian machine. Just change the paths to match your > file locations.>>./configure --localstatedir=/var --sysconfdir=/etc --with-thread-pool > --with-mysql-include-dir=/usr/include/mysql/ --with-mysql-lib-dir=/usr/lib/ > --with-mysql-dir=/usr/bin/ I’ve already done this. I’ve also tried including the --disable-shared option, which was mentioned in the all-mighty FAQ... didn’t work. > > Where are the mysql shared libraries installed by default? I'm not exactly> > a mysql expert...> >>> This has nothing to do with being a mysql expert. It has to do with being a > system admin and knowing how your system works. I don't know if you are new > to linux or what.. but here it how to find out the answer to this question:>> try this:>> rpm -ql >> It will list all files and their locations that came from that rpm. It doesn’t give me back any information at all, except on builds that were installed by the system when it was first built. > If you don't know what it is expecting for package name, try this> rpm -qa | grep mysql>> It will list all packages with mysql in their name:)>> Read "man rpm" for more info!>> Nick ‘rpm –qa | grep mysql ‘ gives me only 3 packages… those packages were installed at build time. And before you ask, yes, I DID install all the mysql packages, and all of them are working (I can access the databases both at the machine and remotely). Is there any other command that I might not have thought of to give me information on an rpm that I’ve installed? Shannon
RE: re: rlm_sql errors
From: "Alan DeKok" <[EMAIL PROTECTED]> >> I'm trying to get FreeRadius to work with MySQL, but it isn't working. >> Every time I run radiusd, it doesn't start, and the log gives me: >> >> Fri Jan 17 11:14:36 2003 : Error: rlm_sql (sql): Could not link driver >> rlm_sql_mysql: file not found > You would think that this question would be addressed in the FAQ, or > in the documentation which comes with the server. > > Oh, wait, it is... > > > What's preventing you from reading the FAQ? > > Alan DeKok. You would think that a normal person of slightly above average would have thought of that. Oh, wait, I did... I already read the FAQ, and it didn't help. That's why I left the message here. --__--__-- From: Simon White <[EMAIL PROTECTED]> >> Fri Jan 17 11:14:36 2003 : Error: rlm_sql (sql): Could not link driver >> rlm_sql_mysql: file not found >> >> Fri Jan 17 11:14:36 2003 : Error: rlm_sql (sql): Make sure it (and all >> its dependent libraries!) are in the search path of your system's ld. >> >> Fri Jan 17 11:14:36 2003 : Error: radiusd.conf[14]: sql: Module >> instantiation failed. >> >> Exactly which libraries does it need? I bought the Radius book from >> O'Reilly, and there isn't anything of use in there... I tried adding >> /usr/local/lib to the /etc/ld.so.conf and running ldconfig, but that >> didn't work (do I need to recompile freeradius afterwards?). I also >> tried compiling freeradius using the -disable-sharing flag, but that >> didn't work either. I have freeradius 0.8.1 and mysql 3.23.54a (bench, >> client, server, and devel). If anyone has any ideas on what I should >> try, or if you could provide a list of exactly which libraries it needs >> to find, I can link them manually...? > Did you pass the options to configure in order to enable mysql at > compile time? Which options should I pass? I install all the MySQL parts (including devel) to their default places... the configuring and the compiling don't give me any errors, so I'm assuming it found mysql and enabled support for it. --__--__-- > From: Genoud Richard <[EMAIL PROTECTED]> > > you may not have compiled the mysql module... > you need the devel rpm (mysql-devel-X.X.X.X.rpm) I installed all of them (including mysql-devel-3.23.54a-1.rpm)... twice, just to make sure there weren't any errors that I missed on the first try. --__--__-- > From: Gustavo Lozano <[EMAIL PROTECTED]> > > This is Solaris UltraSparc > > I recompiled mysql with shared libs enabled and now it is working > Rgds Where are the mysql shared libraries installed by default? I'm not exactly a mysql expert... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sql errors
I’m trying to get FreeRadius to work with MySQL, but it isn’t working. Every time I run radiusd, it doesn’t start, and the log gives me: Fri Jan 17 11:14:36 2003 : Error: rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found Fri Jan 17 11:14:36 2003 : Error: rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. Fri Jan 17 11:14:36 2003 : Error: radiusd.conf[14]: sql: Module instantiation failed. Exactly which libraries does it need? I bought the Radius book from O’Reilly, and there isn’t anything of use in there… I tried adding /usr/local/lib to the /etc/ld.so.conf and running ldconfig, but that didn’t work (do I need to recompile freeradius afterwards?). I also tried compiling freeradius using the –disable-sharing flag, but that didn’t work either. I have freeradius 0.8.1 and mysql 3.23.54a (bench, client, server, and devel). If anyone has any ideas on what I should try, or if you could provide a list of exactly which libraries it needs to find, I can link them manually…? Thanks in advance! Shannon Johnson Systems Administrator