Re: 0.9.1 and bad logins
-BEGIN PGP SIGNED MESSAGE- Bill == Bill [EMAIL PROTECTED] writes: Bill I recently switched from Cistron to FreeRadius 0.9.1 I just Bill noticed Bill that FreeRadius is periodically rejecting customer's passwords when Bill the It sounds like freeradius and/or some other process isn't locking the password file properly, and you are seeing partially updated passwd entries. If we knew what OS and what set of libraries you were using, and what other processes were editing /etc/passwd, we might be able to help. ] Collecting stories about my dad: http://www.sandelman.ca/cjr/ | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON|net architect[ ] [EMAIL PROTECTED] http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic(Just another Debian/notebook using, kernel hacking, security guy); [ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys - custom hacks make this fully PGP2 compat iQCVAwUBP5mRd4qHRg3pndX9AQHtrAP+JfBhbgNDMc3fGtLiqIdR6lO312+rExZP NPDdXU1JbMjwIabGLfpo19VPIiyXGdqUs+QsXCztNCKtDXLg2UH/t/1dFgErS0XA +eH4t0ySmC6ddvRp8WxLZFywKpBHZ8Nndfhh/Uwwj+9CKASdaC+s/y4GFfyfyxrb xeOdP/MFHCY= =EjLy -END PGP SIGNATURE- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
Bill [EMAIL PROTECTED] wrote: What does this mean? I don't understand the -s according to the radiusd man page. When I do a ps ax and review my logs Radius appears to running normally. It means that there are still threading issues with some system calls. FreeRADIUS has its own internal locks which prevent it from making more than one call to the getpwent(), etc. functions at a time. It appears that either more locks are needed, or that the existing locks don't work. Since you're the only one having problems, I believe it's most likely a local system issue. There's not much I can suggest as to how to fix that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
I don't have the passwd, group or shadow fields specified in the unix module as you started. I did more testing with this Perl script I wrote that uses radtest to repeatedly test FreeRadius with a username and password file. If the username is near to the top of the passwd file it has a much smaller chance of an invalid login compared to a username closer to the bottom of the passwd file. With my test script going in a loop using radtest to validate a name and passwd, pause 1/2 second and retest I can get over 3,000 successful tests in a few minutes with a name near the top of the passwd file. BUT, with a name near the bottom it may crap out after as 5 tests or 273 tests. Could the getpwent be causing this or could I have something else wrong? Again, I have this same problem on two RedHat 9 servers with all the latest updates. Bill - Original Message - From: Alan DeKok To: [EMAIL PROTECTED] Sent: Thursday, October 16, 2003 4:47 PM Subject: Re: 0.9.1 and bad logins VCI Help Desk [EMAIL PROTECTED] wrote: Is there any debugging I can do to determine if it's rejecting the user for some other reason? I've turned on the auth_detail and radiusd -x and that hasn't helped. Don't define the 'passwd', 'group', or 'shadow' entries in the 'unix' module configuration. If that doesn't help, run the server with '-s' command-line flag. Other than that, there's not much else I can suggest. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
VCI Help Desk [EMAIL PROTECTED] wrote: I did more testing with this Perl script I wrote that uses radtest to repeatedly test FreeRadius with a username and password file. If the username is near to the top of the passwd file it has a much smaller chance of an invalid login compared to a username closer to the bottom of the passwd file. It sounds like a bug in the system libraries to me. Try running the server with '-s', and see if the problem resurfaces. Could the getpwent be causing this or could I have something else wrong? It's getpwent() and friends. See rlm_unix.c Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
Ok, I'm running a test with the -s option and it appears to be running fine. The problem doesn't appear to resurface with the -s option. My test script has gotten to over 2500 whereas it wouldn't even pass 300 without the -s with a username near the bottom of the passwd file. What does this mean? I don't understand the -s according to the radiusd man page. When I do a ps ax and review my logs Radius appears to running normally. -s Normally, the server forks a seperate process for accounting, and a seperate process for every authentication request. With this flag the server will not do that. It won't even daemonize (auto-background) itself. Bill - Original Message - From: Alan DeKok To: [EMAIL PROTECTED] Sent: Friday, October 17, 2003 9:26 AM Subject: Re: 0.9.1 and bad logins VCI Help Desk [EMAIL PROTECTED] wrote: I did more testing with this Perl script I wrote that uses radtest to repeatedly test FreeRadius with a username and password file. If the username is near to the top of the passwd file it has a much smaller chance of an invalid login compared to a username closer to the bottom of the passwd file. It sounds like a bug in the system libraries to me. Try running the server with '-s', and see if the problem resurfaces. Could the getpwent be causing this or could I have something else wrong? It's getpwent() and friends. See rlm_unix.c Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
0.9.1 and bad logins
Hi, I recently switched from Cistron to FreeRadius 0.9.1 I just noticed that FreeRadius is periodically rejecting customer's passwords when the passwords are correct. Most customers simply re-type their password when their computer says the password was rejected but some don't know their password. Sometimes FreeRadius will say the login was rejected due to an invalid shell. Again, the shell is correct. When this happens it doesn't even parse the passwd file entry correctly. It will say the login was rejected due to an invalid shell and the shell is alse when it is actually /bin/false Sometimes it reports the shell as being part of a passwd line for another customer like ome/user2:/bin/false -- literally. I thought this problem may be caused by bad memory or something so I moved the authentication for several of my Portmasters to a backup machine running the same configuration of FreeRadius. It did the same thing. Any ideas? Bill - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
Bill [EMAIL PROTECTED] wrote: Sometimes FreeRadius will say the login was rejected due to an invalid shell. Again, the shell is correct. When this happens it doesn't even parse the passwd file entry correctly. It will say the login was rejected due to an invalid shell and the shell is alse when it is actually /bin/false Sometimes it reports the shell as being part of a passwd line for another customer like ome/user2:/bin/false -- literally. I've never heard of that problem before. In the default configuration of the server, it doesn't even parse the 'passwd' file. It relies on the system getpwent() function do do that work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
Ok, that's helpful. In studying this I have written a brief Perl script that will run radtest repeatedly. The script pauses for half a second between tests. Sometimes the script will successfully authenticate the same username/password 127 times and sometimes it will run to 2,600 authentications. Eventually, it returns an invalid password. This is a RedHat 9.0 box with all the updates installed. It has a single 933mhz Intel processor. The threading in Radius is turned on with start_servers set to 5. Am I supposed to be able to see 5 Radius processes when I so a ps ax? I only see one and never see more than that. We are using MySQL for accounting logging and nothing else. Bill - Original Message - From: Alan DeKok To: [EMAIL PROTECTED] Sent: Thursday, October 16, 2003 1:40 PM Subject: Re: 0.9.1 and bad logins Bill [EMAIL PROTECTED] wrote: Sometimes FreeRadius will say the login was rejected due to an invalid shell. Again, the shell is correct. When this happens it doesn't even parse the passwd file entry correctly. It will say the login was rejected due to an invalid shell and the shell is alse when it is actually /bin/false Sometimes it reports the shell as being part of a passwd line for another customer like ome/user2:/bin/false -- literally. I've never heard of that problem before. In the default configuration of the server, it doesn't even parse the 'passwd' file. It relies on the system getpwent() function do do that work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
VCI Help Desk [EMAIL PROTECTED] wrote: In studying this I have written a brief Perl script that will run radtest repeatedly. The script pauses for half a second between tests. Sometimes the script will successfully authenticate the same username/password 127 times and sometimes it will run to 2,600 authentications. Eventually, it returns an invalid password. Have you edited 'radiusd.conf' so that the 'unix' module caches the passwords? If so, turn that off. It may help. The threading in Radius is turned on with start_servers set to 5. Am I supposed to be able to see 5 Radius processes when I so a ps ax? I only see one and never see more than that. On RedHat 9, you will only see 1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
No, the caching is turned off. We actually thought about turning it on to see if that would have any affect on this problem. Bill - Original Message - From: Alan DeKok To: [EMAIL PROTECTED] Sent: Thursday, October 16, 2003 2:58 PM Subject: Re: 0.9.1 and bad logins VCI Help Desk [EMAIL PROTECTED] wrote: In studying this I have written a brief Perl script that will run radtest repeatedly. The script pauses for half a second between tests. Sometimes the script will successfully authenticate the same username/password 127 times and sometimes it will run to 2,600 authentications. Eventually, it returns an invalid password. Have you edited 'radiusd.conf' so that the 'unix' module caches the passwords? If so, turn that off. It may help. The threading in Radius is turned on with start_servers set to 5. Am I supposed to be able to see 5 Radius processes when I so a ps ax? I only see one and never see more than that. On RedHat 9, you will only see 1. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
Bill [EMAIL PROTECTED] wrote: No, the caching is turned off. We actually thought about turning it on to see if that would have any affect on this problem. Then are you *sure* you're using the latest version of rlm_unix, and not an older one? There may be threading issues with older ones, if you've installed 0.9.1 over top of an older version of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
No, we didn't use FreeRadius until we installed FreeRadius 0.9.1 about 2 weeks ago. I upgraded to 0.9.2 today. We installed FreeRadius on a brand new RedHat 9.0 server that was just just built. We tested our backup Radius server by moving all the Portmaster's primary auth to it and it did the same thing. One out of of about 200 or 300 authentications result in incorrect password in the radius.log file when the password is actually correct. The radius.log file records the username and password that the customer used. The customer will re-enter that same password during the same login process and it will then work properly. And, at times FreeRadius will reject a customer's login because it says the shell incorrect. The incorrect login entry in radius.log will say the shell is /home/username:/bin/false -- literally. Notice this is NOT the shell and at times I've seen this happen when it's not even the information for the correct username. This is something that makes me think it's using the password file. We've checked items running in cron to see if they could be conflicting somehow and haven't found anything. I noticed there are some notes on the FreeRadius homepage from 19 September about the Pam module and RedHat 9. Problem is, we have the Pam stuff disabled in Radius. Bill - Original Message - From: Alan DeKok To: [EMAIL PROTECTED] Sent: Thursday, October 16, 2003 3:28 PM Subject: Re: 0.9.1 and bad logins Bill [EMAIL PROTECTED] wrote: No, the caching is turned off. We actually thought about turning it on to see if that would have any affect on this problem. Then are you *sure* you're using the latest version of rlm_unix, and not an older one? There may be threading issues with older ones, if you've installed 0.9.1 over top of an older version of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
Is there any debugging I can do to determine if it's rejecting the user for some other reason? I've turned on the auth_detail and radiusd -x and that hasn't helped. Bill - Original Message - From: Alan DeKok To: [EMAIL PROTECTED] Sent: Thursday, October 16, 2003 3:28 PM Subject: Re: 0.9.1 and bad logins Bill [EMAIL PROTECTED] wrote: No, the caching is turned off. We actually thought about turning it on to see if that would have any affect on this problem. Then are you *sure* you're using the latest version of rlm_unix, and not an older one? There may be threading issues with older ones, if you've installed 0.9.1 over top of an older version of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 0.9.1 and bad logins
VCI Help Desk [EMAIL PROTECTED] wrote: Is there any debugging I can do to determine if it's rejecting the user for some other reason? I've turned on the auth_detail and radiusd -x and that hasn't helped. Don't define the 'passwd', 'group', or 'shadow' entries in the 'unix' module configuration. If that doesn't help, run the server with '-s' command-line flag. Other than that, there's not much else I can suggest. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html