FreeRadius, SQL, PAM, and Headaches
Alan, I finally figured out what my problem was with the Freeradius server communicating to the SQL database, and I got that up and working (from the localhost). Thank you everybody for all your help. :-) Now Im trying to figure out how to get my workstations to communicate with the server. Im running Red Hat 8, which has a slightly different PAM setup than previous versions. From my rather limited understanding of PAM, it looks like almost every application refers back to /etc/pam.d/system-auth to authenticate. I tried adding the line auth sufficient /lib/security/pam_radius_auth.so into sshd, but it doesnt work. It gives me a protocol error. The FreeRadius server never even gets the request, so it must be something to do with PAM or the client setup. I tried running radtest from the client command line, but that also never gets to the server (or doesnt show up when its in debug mode). After I get that working, I would like it to map a couple directories via NFS (or something more secure, if possible). Any ideas? Shannon
RE: mysql auth
Duane, They're in radcheck. It should be: Id number, username, attribute, op, value Where the attribute is the actual word Password the op is == and the value is whatever the password is for the user. Shannon Message: 9 From: Duane Barnes [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: mysql auth Date: Tue, 21 Jan 2003 08:51:34 -0500 Reply-To: [EMAIL PROTECTED] This is a multi-part message in MIME format. --=_NextPart_000_000A_01C2C12A.4D3B14E0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Does anyone know which table the passwords for the users are stored in? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius, SQL, PAM, and Headaches
I got it to work from the command line. Now I can run radtest from the test workstation and it successfully connects to the server and authenticates the username and password. Im still having trouble with the pam_radius_auth module though. More to the point, Im having trouble with PAM. Here are the contents of the important files (what I think are relevant files):/etc/pam.d/sshd (on workstation):#%PAM-1.0auth sufficient /lib/security/pam_radius_auth.so debugauth required /lib/security/pam_stack.so service=system-authauth required /lib/security/pam_nologin.soaccount required /lib/security/pam_stack.so service=system-authpassword sufficient /lib/security/pam_radius_auth.so debugpassword required /lib/security/pam_stack.so service=system-authsession required /lib/security/pam_stack.so service=system-authsession required /lib/security/pam_limits.sosession optional /lib/security/pam_console.so/etc/pam.d/system-auth (on workstation):#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required /lib/security/pam_env.soauth sufficient /lib/security/pam_unix.so likeauth nullokauth required /lib/security/pam_deny.soaccount required /lib/security/pam_unix.sopassword required /lib/security/pam_cracklib.so retry=3 type=password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadowpassword required /lib/security/pam_deny.sosession required /lib/security/pam_limits.sosession required /lib/security/pam_unix.so/etc/raddb/server (on workstation) file only has:servername:1645 testsecret 3If anyone has any ideas on what could be wrong, let me know. ShannonAlan,=20I finally figured out what my problem was with the Freeradius servercommunicating to the SQL database, and I got that up and working (fromthe localhost). Thank you everybody for all your help. :-)=20Now I'm trying to figure out how to get my workstations to communicatewith the server. I'm running Red Hat 8, which has a slightly differentPAM setup than previous versions. From my rather limited understandingof PAM, it looks like almost every application refers back to/etc/pam.d/system-auth to authenticate. I tried adding the line authsufficient /lib/security/pam_radius_auth.so into sshd, but it doesn'twork. It gives me a protocol error. The FreeRadius server never evengets the request, so it must be something to do with PAM or the clientsetup. I tried running radtest from the client command line, but thatalso never gets to the server (or doesn't show up when it's in debugmode). After I get that working, I would like it to map a coupledirectories via NFS (or something more secure, if possible). Any ideas?=20Shannon
SQL Authorization / Authentication
I got the radius server talking to the sql database finally (thanks Nick). I now have another question. I need this radius server to authenticate / authorize (still a little hazy on the difference) console and ssh access to 10 workstations. The requests would come in to the workstation, get routed to the server via a pam module, hit the freeradius server, verify the username and password in the database, and let the person on if their info is correct. First question, is this possible? I just got done reading about the differences between authorization and authentication, and from what I gather, freeradius can't do authentication to an SQL database. Is that correct? Ideally, what I would like, is to have a database holding all the usernames and passwords (holding in clear text, but transmitting encrypted, if that matters). Can I do that with freeradius? Shannon - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: SQL Authorization / Authentication
Alan,Thats what I thought, but the definition of Authorization and Authentication got me a little confused. New question now... I have the MySQL database set up with a test account (username test, password test). When I run radiusd xxp 1645 and try radtest test test localhost:1645 0 testing, it gives me a bunch of stuff, but the part that stands out is the following:rad_recv: Access-Request packet from host 130.203.224.111:32769, id=167, length=56Thread 2 assigned request 1--- Walking the entire request list ---Threads: total/active/spare threads = 5/1/4Waking up in 5 seconds...Thread 2 handling request 1, (1 handled so far) User-Name = test User-Password = test NAS-IP-Address = 255.255.255.255 NAS-Port = 0modcall: entering group authorize modcall[authorize]: module preprocess returns okrlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module chap returns noop modcall[authorize]: module mschap returns notfound rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noopradius_xlat: 'SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '' ORDER BY id'rlm_sql (sql): Reserving sql socket id: 2rlm_sql_mysql: query: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '' ORDER BY idrlm_sql (sql): User not found in radcheckradius_xlat: 'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'rlm_sql_mysql: query: SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.idradius_xlat: 'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'rlm_sql_mysql: query: SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = '' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.idrlm_sql (sql): User not found in radgroupcheckrlm_sql (sql): User not foundrlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns notfound users: Matched DEFAULT at 152 modcall[authorize]: module files returns okmodcall: group authorize returns ok rad_check_password: Found Auth-Type SystemFrom what I can tell, its not passing the username (or password, for that matter) to the SQL database. Would that be a correct assumption? If so, do you have any suggestions on what to do to fix?Thanks for your help!ShannonShannon Johnson [EMAIL PROTECTED] wrote: I need this radius server to authenticate / authorize (still a little hazy on the difference) console and ssh access to 10 workstations. The requests would come in to the workstation, get routed to the server via a pam module, hit the freeradius server, verify the username and password in the database, and let the person on if their info is correct. First question, is this possible? For username/password verification, yes. They'll still have to getuid/gid/shell from somewhere, though. I just got done reading about the differences between authorization and authentication, and from what I gather, freeradius can't do authentication to an SQL database. Is that correct? Yes. It won't try to log users into an SQL database. Ideally, what I would like, is to have a database holding all the usernames and passwords (holding in clear text, but transmitting encrypted, if that matters). Can I do that with freeradius? Yes. That's storing the username/password in SQL, and lettingFreeRADIUS use trhat information to authenticate them. Alan DeKok.
Re: Re: Re: SQL Authorization / Authentication
Alan, My users file isnt very large. Im not going to pretend to know what most of this means, but suffice it to say that I dont have any dial-in users, so Im not sure that the PPP, CSLIP, or SLIP parts apply. If they dont, should I comment them out? Also, I dont think the Default Auth-type should be System, but I didnt see any other option, besides Reject. Is there an SQL option? The contents of my /etc/raddb/users file are as follows: DEFAULT Auth-Type := System Fall-Through = Yes DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == CSLIP Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == SLIP Framed-Protocol = SLIP Shannon Shannon Johnson [EMAIL PROTECTED] wrote: That's what I thought, but the definition of Authorization and Authentication got me a little confused. New question now.. rlm_sql (sql): User not found in radgroupcheck rlm_sql (sql): User not found rlm_sql (sql): Released sql socket id: 2 modcall[authorize]: module sql returns notfound... From what I can tell, it's not passing the username (or password, for that matter) to the SQL database. Would that be a correct assumption? If so, do you have any suggestions on what to do to fix? Look through the SQL configuration, seeing why the user doesn'tmatch. I'd suggest debugging it with the 'users' file first, though. Getthe config working for the user, and then move it over to SQL. Thatway you're tracking down one problem at a time. Alan DeKok.
rlm_sql errors
Im trying to get FreeRadius to work with MySQL, but it isnt working. Every time I run radiusd, it doesnt start, and the log gives me: Fri Jan 17 11:14:36 2003 : Error: rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found Fri Jan 17 11:14:36 2003 : Error: rlm_sql (sql): Make sure it (and all its dependent libraries!) are in the search path of your system's ld. Fri Jan 17 11:14:36 2003 : Error: radiusd.conf[14]: sql: Module instantiation failed. Exactly which libraries does it need? I bought the Radius book from OReilly, and there isnt anything of use in there I tried adding /usr/local/lib to the /etc/ld.so.conf and running ldconfig, but that didnt work (do I need to recompile freeradius afterwards?). I also tried compiling freeradius using the disable-sharing flag, but that didnt work either. I have freeradius 0.8.1 and mysql 3.23.54a (bench, client, server, and devel). If anyone has any ideas on what I should try, or if you could provide a list of exactly which libraries it needs to find, I can link them manually? Thanks in advance! Shannon Johnson Systems Administrator
re: re: rlm_sql errors
Nick, Which options should I pass? I install all the MySQL parts (including devel) to their default places... the configuring and the compiling don't give me any errors, so I'm assuming it found mysql and enabled support for it. --with-mysql-include-dir=DIR Directory where the MySQL includes can be found --with-mysql-lib-dir=DIR Directory where the MySQL libraries can be found --with-mysql-dir=DIR Base directory where MySQL is installed --with-thread-pool Use a pool of threads for high-load systems. (default=no) ***very important to turn on*** --localstatedir=/var Directory for logfiles [LOCALSTATEDIR/log]I tried that... what I dont know is WHAT libraries its looking for. Rather than saying its looking for the mysql libraries, which I already know, can you list the file names? Here is what I use on a debian machine. Just change the paths to match your file locations../configure --localstatedir=/var --sysconfdir=/etc --with-thread-pool --with-mysql-include-dir=/usr/include/mysql/ --with-mysql-lib-dir=/usr/lib/ --with-mysql-dir=/usr/bin/Ive already done this. Ive also tried including the --disable-shared option, which was mentioned in the all-mighty FAQ... didnt work. Where are the mysql shared libraries installed by default? I'm not exactly a mysql expert... This has nothing to do with being a mysql expert. It has to do with being a system admin and knowing how your system works. I don't know if you are new to linux or what.. but here it how to find out the answer to this question: try this: rpm -ql package name It will list all files and their locations that came from that rpm.It doesnt give me back any information at all, except on builds that were installed by the system when it was first built. If you don't know what it is expecting for package name, try this rpm -qa | grep mysql It will list all packages with mysql in their name:) Read man rpm for more info! Nick rpm qa | grep mysql gives me only 3 packages those packages were installed at build time. And before you ask, yes, I DID install all the mysql packages, and all of them are working (I can access the databases both at the machine and remotely). Is there any other command that I might not have thought of to give me information on an rpm that Ive installed? Shannon