Re: Help w/ pam radius
Just thought I would reply to my own thread since I figured it out and probably others can benefit from it yes yes yes the variations in distro's PAM implementation will kill you that was all it was so beware -- knowing your PAM system on your machines is crucial if you don't want to do a lot of head scratching. #%PAM-1.0 auth sufficient /lib/security/pam_radius_auth.so debug client_id=linux auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so Haven't figured this error out yet... Wed Dec 19 15:50:05 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE _CERT option to allow ...but least I can auth SSH with RADIUS so I am a happy camper. - Original Message - From: Jeff Fishbaugh To: Jeff Fishbaugh ; freeradius-users@lists.freeradius.org Sent: Tuesday, December 18, 2007 5:49 PM Subject: Re: Help w/ pam radius Seems like I am getting closer possibly, but I see an error in radius.log -- could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow. Basically, I go to login to my pam_radius host, user exists in local password file with no pass, user/pass in RADIUS/LDAP, and when I login the SSH session immediately exits and I see the below in radius.log. If I use a login not in the local password file, but it is in RADIUS/LDAP then I get an access denied and no mention of the below error. I am not even starting TLS so why is it even complaining about it??? I am also curious what this means -- rlm_exec: Wait=yes but no output defined. Did you mean output=none? Appreciate any help. Thanks! Tue Dec 18 19:32:48 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Tue Dec 18 19:32:48 2007 : Info: Ready to process requests. Tue Dec 18 19:33:06 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow Tue Dec 18 19:33:06 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow Tue Dec 18 19:35:55 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow Tue Dec 18 19:36:03 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow - Original Message - From: Jeff Fishbaugh To: freeradius-users@lists.freeradius.org Sent: Tuesday, December 18, 2007 2:13 PM Subject: Help w/ pam radius Hello: I am having trouble getting pam_radius working and was wondering if someone might be of help since I followed the INSTALL instructions as well as a howto (as provided by the Wikid folks) and I am still coming up short getting it working. Here are some of my details - My PAM is such it is by service (Fedora 7 -- 0.99.7.1-5.1)sshd being what I am most interested in, the default config for it looks like the below on a host I want talking to radius. What does this need to look like in terms of the pam_radius_auth.so related stanzas to get it working? Neither the INSTALL instructions or a howto I found would work. /etc/pam.d/sshd (default below) #%PAM-1.0 auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so - My Radius box runs freeradius (freeradius-1.1.7-3.1) with LDAP (fedora-ds) backending it with the user/pass info, got it working for Cisco's but have yet to get PAM working. I just get 'Access denied' -- tried the later with a user defined on the host with no password or with a password and won't work. Pretty simple, no huntgroups or anythig like that just plain and simple binding against LDAP. I think what I am looking for are... 1- Pam configuration on the host (ie- /etc/pam.d/sshd) 2- Pam configuration requirements as far as the radius server is concerned. Be helpful to see what all I might need that I am possibly missing in conf files. Thank you!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help w/ pam radius
Hello: I am having trouble getting pam_radius working and was wondering if someone might be of help since I followed the INSTALL instructions as well as a howto (as provided by the Wikid folks) and I am still coming up short getting it working. Here are some of my details - My PAM is such it is by service (Fedora 7 -- 0.99.7.1-5.1)sshd being what I am most interested in, the default config for it looks like the below on a host I want talking to radius. What does this need to look like in terms of the pam_radius_auth.so related stanzas to get it working? Neither the INSTALL instructions or a howto I found would work. /etc/pam.d/sshd (default below) #%PAM-1.0 auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so - My Radius box runs freeradius (freeradius-1.1.7-3.1) with LDAP (fedora-ds) backending it with the user/pass info, got it working for Cisco's but have yet to get PAM working. I just get 'Access denied' -- tried the later with a user defined on the host with no password or with a password and won't work. Pretty simple, no huntgroups or anythig like that just plain and simple binding against LDAP. I think what I am looking for are... 1- Pam configuration on the host (ie- /etc/pam.d/sshd) 2- Pam configuration requirements as far as the radius server is concerned. Be helpful to see what all I might need that I am possibly missing in conf files. Thank you!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help w/ pam radius
Seems like I am getting closer possibly, but I see an error in radius.log -- could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow. Basically, I go to login to my pam_radius host, user exists in local password file with no pass, user/pass in RADIUS/LDAP, and when I login the SSH session immediately exits and I see the below in radius.log. If I use a login not in the local password file, but it is in RADIUS/LDAP then I get an access denied and no mention of the below error. I am not even starting TLS so why is it even complaining about it??? I am also curious what this means -- rlm_exec: Wait=yes but no output defined. Did you mean output=none? Appreciate any help. Thanks! Tue Dec 18 19:32:48 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Tue Dec 18 19:32:48 2007 : Info: Ready to process requests. Tue Dec 18 19:33:06 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow Tue Dec 18 19:33:06 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow Tue Dec 18 19:35:55 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow Tue Dec 18 19:36:03 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow - Original Message - From: Jeff Fishbaugh To: freeradius-users@lists.freeradius.org Sent: Tuesday, December 18, 2007 2:13 PM Subject: Help w/ pam radius Hello: I am having trouble getting pam_radius working and was wondering if someone might be of help since I followed the INSTALL instructions as well as a howto (as provided by the Wikid folks) and I am still coming up short getting it working. Here are some of my details - My PAM is such it is by service (Fedora 7 -- 0.99.7.1-5.1)sshd being what I am most interested in, the default config for it looks like the below on a host I want talking to radius. What does this need to look like in terms of the pam_radius_auth.so related stanzas to get it working? Neither the INSTALL instructions or a howto I found would work. /etc/pam.d/sshd (default below) #%PAM-1.0 auth include system-auth accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so - My Radius box runs freeradius (freeradius-1.1.7-3.1) with LDAP (fedora-ds) backending it with the user/pass info, got it working for Cisco's but have yet to get PAM working. I just get 'Access denied' -- tried the later with a user defined on the host with no password or with a password and won't work. Pretty simple, no huntgroups or anythig like that just plain and simple binding against LDAP. I think what I am looking for are... 1- Pam configuration on the host (ie- /etc/pam.d/sshd) 2- Pam configuration requirements as far as the radius server is concerned. Be helpful to see what all I might need that I am possibly missing in conf files. Thank you!- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html