freeradius using pam_oath doesn't return otp challenge
Hi. I'd like to have freeradius authenticate users using their password (for simplicity I'm using /etc/shadow now) and TOTP through liboath. I was hoping to use freeradius to centralize this. PAM looked like the easiest way. I'm using freeradius 2.1.12 from debian wheezy. PAM confiuration is simple: auth required pam_unix.so nullok_secure auth requisite pam_oath.so usersfile=/etc/users.oath debug On the testing machine runnning freeradius this works great for su: root|lex[pam.d]# su Password: [pam_oath.c:parse_cfg(118)] called. [pam_oath.c:parse_cfg(119)] flags 0 argc 3 [pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath [pam_oath.c:parse_cfg(121)] argv[1]=window=1 [pam_oath.c:parse_cfg(121)] argv[2]=debug [pam_oath.c:parse_cfg(122)] debug=1 [pam_oath.c:parse_cfg(123)] alwaysok=0 [pam_oath.c:parse_cfg(124)] try_first_pass=0 [pam_oath.c:parse_cfg(125)] use_first_pass=0 [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath [pam_oath.c:parse_cfg(127)] digits=0 [pam_oath.c:parse_cfg(128)] window=1 [pam_oath.c:pam_sm_authenticate(157)] get user returned: root One-time password (OATH) for `root': After entering the passord the pam_oath module sends the challenge for OTP and then it authenticates me. SSH works well as well. However when I run freeradius I never get the challenge: pam_pass: using pamauth string radiusd for pam.conf lookup [pam_oath.c:parse_cfg(118)] called. [pam_oath.c:parse_cfg(119)] flags 0 argc 3 [pam_oath.c:parse_cfg(121)] argv[0]=usersfile=/etc/users.oath [pam_oath.c:parse_cfg(121)] argv[1]=window=1 [pam_oath.c:parse_cfg(121)] argv[2]=debug [pam_oath.c:parse_cfg(122)] debug=1 [pam_oath.c:parse_cfg(123)] alwaysok=0 [pam_oath.c:parse_cfg(124)] try_first_pass=0 [pam_oath.c:parse_cfg(125)] use_first_pass=0 [pam_oath.c:parse_cfg(126)] usersfile=/etc/users.oath [pam_oath.c:parse_cfg(127)] digits=0 [pam_oath.c:parse_cfg(128)] window=1 [pam_oath.c:pam_sm_authenticate(157)] get user returned: root [pam_oath.c:pam_sm_authenticate(232)] conv returned: karel [pam_oath.c:pam_sm_authenticate(248)] OTP too short: karel [pam_oath.c:pam_sm_authenticate(322)] done. [Authentication failure] pam_pass: function pam_authenticate FAILED for root. Reason: Authentication failure It seems it gets passed the first password even though try_first_pass nor use_first_pass are set for the pam_oath module. It looks like freeradius passes it the User-Password attribute. Is this a problem in freeradius or the pam stack or am I doing something wrong? I was expecting to get a radius access-challenge proxying the pam_oath challenge similar to how ssh takes care of this. Is there a way to get this setup working? I'd like to use the ldap passwords for users so I'm trying to avoid plaintext secrets in oath configuration. So far it seems I cannot use more then one authentication method in freeradius so pam or some custom module seem like the only two options. thank for pointers Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: initial accept, but then fails
On Fri, Jun 14, 2013 at 3:33 PM, Iliya Peregoudov iperegu...@cboss.ruwrote: On 14.06.2013 5:56, geebs wrote: rad_recv: Access-Request packet from host 10.8.13.254 port 1645, id=6, length=220 User-Name = example.com http://example.com User-Password = cisco Calling-Station-Id = GigabitEthernet 14/0/3.31010096:3101-96#**587204450###pppoe 00:04:ed:d1:78:85#QTNITE4025M atm 1/1/04/27:8.35# Connect-Info = 10 NAS-Port-Type = Virtual NAS-Port = 501 NAS-Port-Id = Uniq-Sess-ID501 Service-Type = Outbound-User NAS-IP-Address = 10.8.13.254 Looks line Cisco PPPoE service profile request http://www.cisco.com/en/US/**docs/ios-xml/ios/bbdsl/** configuration/12-4t/bba-svc-**callstup.htmlhttp://www.cisco.com/en/US/docs/ios-xml/ios/bbdsl/configuration/12-4t/bba-svc-callstup.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/** list/users.html http://www.freeradius.org/list/users.html Yes it is, I'm not sure what's going on there, but to be honest this is not the major issue. The problem is that micha...@example.com does initially connect, but then gets disconnected... If you have a look at the 1st post, they connect fine, but then get booted, and the only thing in the logs is the above. What would cause this ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
