Re: PAM-Radius authentication issue on Ubuntu 7.4: can not authenticate SSH users not present in /etc/passwd
Hu, Fengliang (Procurve Networking) wrote: I did some research from the website and some emails dated in 2006 said that PAM_Radius can only authenticate user accounts in /etc/passwd file. Is that right? Yes. There is no documented way in PAM to get UID/GID/etc from the PAM module (e.g. pam_radius), back up to PAM. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM-Radius authentication issue on Ubuntu 7.4: can not authenticate SSH users not present in /etc/passwd
Hi, I was trying to find a PAM-Radius mailing list and it seems that this is the best one. A Ubuntu 7.4 box needs to be configured such that SSH users will be authenticated against an external FreeRadius server. FreeRadius server version is 1.1.7-1build4. The Ubuntu box uses OpenSSH 4.3-p2 and /etc/ssh/sshd_config is set to UsePAM yes. I downloaded PAM_Radius 1.3.17. Below is the procedure that I use Radius to authenticate a user in /etc/passwd (/etc/shadow doesn't have the password for that user). 1. FreeRadius server configures its clients.conf and user file to include a new user called test1. 2. On my Ubuntu 7.4 box, add a user with command useradd to add a user test1 but don't set a password. So the user test1 on the Ubuntu box will be inactive. 3. Configure /etc/pam.d/ssh on the Ubuntu box to use auth sufficient pam_radius_auth.so 4. Also update the /etc/raddb/server on the Ubuntu box to point to the remote Radius server IP. 5. Try ssh te...@ubuntu box and it worked. Also monitored the Free Radius logging and it did show that the Access-Request packets went to Radius server. So step 1-5 worked well for me. Note that at step 2, the user account to be authenticated is added to /etc/passwd. The issue is: if step 2 is omitted, SSH login will fail. ACCESS_REQUEST packets with INCORRECT password were even sent to the Radius server. Further troubleshooting showed that PAM_Radius module got a bad password from PAM. I did some research from the website and some emails dated in 2006 said that PAM_Radius can only authenticate user accounts in /etc/passwd file. Is that right? Many thanks in advance, Feng - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Hi can u tell me how run radius with pam? thanks On 4/19/07, daniel [EMAIL PROTECTED] wrote: Ok, I have gotten pam_radius_auth.so to work and it is working well, however, is there any way to get it to create a UID when it receives an auth accept? At the moment I have to run adduser every time I want a user to be able to log in, this would be ok if the users were fairly static, I could run a script every night to add new users to the system, unfortunately I have a lot of users and they need to be available immediately. Thanks for all your help so far. -Daniel Davis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Reza Behroozi http://reza.behroozi.info http://www.persianadmins.ir http://www.persianadmins.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: If I use LDAP to authenticate with PAM and freeradius authenticates against LDAP as well am I able to still store session details with LDAP? I believe so, yes. I am trying to integrate my current hotspot database with my terminals so that users can authenticate on either using the same username and password. It is a ticket based system and they have a limited amount of time, this works fine on both systems with freeradius (mysql backend) but it is a pain to continually have to add users to /etc/passwd. This can all be administered througha set of PHP scripts. That's why databases were invented. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Has anyone had any luck compiling pam_radius_auth on ubuntu? On Mon, 16 Apr 2007 15:13:49 +0200, Alan DeKok [EMAIL PROTECTED] wrote: daniel wrote: I am trying to set up unix authentication using radius. Does the pam module support the maximum session times. No, because PAM has no provisions for enforcing maximum session times. This is ok, I can write a script that runs every minute that just logs the user off based on the results of an sql query of the radius database. Does the pam module support accounting packets (ie. send accounting packet to radius when user logs on?) The setrlimit function call can enforce CPU time restrictions, but that is *not* clock time. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: Has anyone had any luck compiling pam_radius_auth on ubuntu? $ apt-get install libpam0g-dev $ cd pam_radius $ make Does the pam module support accounting packets (ie. send accounting packet to radius when user logs on?) Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: Apr 15 22:03:51 bill sshd[7861]: PAM unable to dlopen(/lib/security/pam_radius_auth.so) Apr 15 22:03:51 bill sshd[7861]: PAM [dlerror: /lib/security/pam_radius_auth.so: undefined symbol: __stack_chk_fail_local] You've built the module with stack overflow checking turned on, and haven't linked it (or SSH) to the necessary library. How to fix this depends on your local system. Apr 15 22:03:51 bill sshd[7861]: PAM adding faulty module: /lib/security/pam_radius_auth.so I am running pam_radius_auth 1.3.16 and freeradius 1.1.6 on Ubuntu 6.10 The pam_radius_auth module seems to be quite old, does anyone know if it still works? A new release should be out shortly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Alan, Thankyou, how do I build the module with stack overflow checking turned off, also what library do I need to link it to? Regards, Daniel Davis On Mon, 16 Apr 2007 11:15:59 +0200, Alan DeKok [EMAIL PROTECTED] wrote: daniel wrote: Apr 15 22:03:51 bill sshd[7861]: PAM unable to dlopen(/lib/security/pam_radius_auth.so) Apr 15 22:03:51 bill sshd[7861]: PAM [dlerror: /lib/security/pam_radius_auth.so: undefined symbol: __stack_chk_fail_local] You've built the module with stack overflow checking turned on, and haven't linked it (or SSH) to the necessary library. How to fix this depends on your local system. Apr 15 22:03:51 bill sshd[7861]: PAM adding faulty module: /lib/security/pam_radius_auth.so I am running pam_radius_auth 1.3.16 and freeradius 1.1.6 on Ubuntu 6.10 The pam_radius_auth module seems to be quite old, does anyone know if it still works? A new release should be out shortly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: Thankyou, how do I build the module with stack overflow checking turned off, also what library do I need to link it to? I have no idea. Stack checking is part of your local system, not part of the module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Alan, I dont know if someone could help me, i got FR working and authenticating in my AD. Here in my core switch a (Cisco 4507R) i have around 7 vlans, i was wondering if someone could explain to me how could i use FR and my switch to use a different vlan based in the user, and if is a guest user to send to a guest vlan Since now my thanks Robinson Santos Network Administrator Fundação Joao Paulo II www.cancaonova.com São Paulo, Brasil On 4/16/07, Alan DeKok [EMAIL PROTECTED] wrote: daniel wrote: Thankyou, how do I build the module with stack overflow checking turned off, also what library do I need to link it to? I have no idea. Stack checking is part of your local system, not part of the module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Alan, I am trying to set up unix authentication using radius. Does the pam module support the maximum session times. I am trying to set up a system where linux users authenticate against my existing radius hotspot system and they are forced to log out when their session expires. Regards, Daniel Davis On Mon, 16 Apr 2007 11:15:59 +0200, Alan DeKok [EMAIL PROTECTED] wrote: daniel wrote: Apr 15 22:03:51 bill sshd[7861]: PAM unable to dlopen(/lib/security/pam_radius_auth.so) Apr 15 22:03:51 bill sshd[7861]: PAM [dlerror: /lib/security/pam_radius_auth.so: undefined symbol: __stack_chk_fail_local] You've built the module with stack overflow checking turned on, and haven't linked it (or SSH) to the necessary library. How to fix this depends on your local system. Apr 15 22:03:51 bill sshd[7861]: PAM adding faulty module: /lib/security/pam_radius_auth.so I am running pam_radius_auth 1.3.16 and freeradius 1.1.6 on Ubuntu 6.10 The pam_radius_auth module seems to be quite old, does anyone know if it still works? A new release should be out shortly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: I am trying to set up unix authentication using radius. Does the pam module support the maximum session times. No, because PAM has no provisions for enforcing maximum session times. The setrlimit function call can enforce CPU time restrictions, but that is *not* clock time. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM Radius Authentication
Hi, I have been trying to set up the pam_radius_auth pam module to authenticate my users through my freeradius server. The radius server is working fine as I can get and Access-Accept packet with radtest and also my wireless hotspot authenticates fine through it. The problem I have is that pam seems to be having a problem loading the module. The auth.log shows the following: Apr 15 22:03:51 bill sshd[7861]: PAM unable to dlopen(/lib/security/pam_radius_auth.so) Apr 15 22:03:51 bill sshd[7861]: PAM [dlerror: /lib/security/pam_radius_auth.so: undefined symbol: __stack_chk_fail_local] Apr 15 22:03:51 bill sshd[7861]: PAM adding faulty module: /lib/security/pam_radius_auth.so I am running pam_radius_auth 1.3.16 and freeradius 1.1.6 on Ubuntu 6.10 The pam_radius_auth module seems to be quite old, does anyone know if it still works? Regards, Daniel Davis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Isn't there anyone who tried this implementation? Hi! if you are reffering to this line: account required pam_radius_auth.so debug than here is the explanation: The pam configuration can be: ... auth sufficient /lib/security/pam_radius_auth.so [options] ... accountsufficient /lib/security/pam_radius_auth.so (this is taken from http://www.freeradius.org/pam_radius_auth/USAGE) On the other hand, I don't care if I don't use this module for accounting. As a matter of fact, I tried in many configurations, even without using it for accounting. The main concern is to succed in authetincating the users!!! if anyone can help me accomplish that, I would be happy and I will not mind about accounting... Hi, I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug explain alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
First of all, thank you for your reply. Until now, you are the only one. Now, let's take it step by step: This is a part of INSTALL: ** Redhat Linux 5.0 ** make. Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so In the per-application configuration (/etc/pam.d/application) add: auth sufficient /lib/security/pam_radius_auth.so AFTER auth required /lib/security/pam_securetty.so and BEFORE auth required /lib/security/pam_unix_auth.so i.e. auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so auth required /lib/security/pam_unix_auth.so My linux is RedHat 9, so this part pertains to my machine : Redhat Linux 5.0 make. Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so - already did... In the per-application configuration (/etc/pam.d/application) add: - I want to use pam radius to authenticate ssh logins, so (/etc/pam.d/application) becomes /etc/pam.d/sshd auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so -this part from INSTALL is identical to my /etc/pam.d/sshd...all of this modules deal with authentication (auth). pam_securetty verifies if root can login through tty by reading /etc/securetty. required means that this step is mandatory and that after this verification, the next authentication method will take place. this is where pam_radius_auth comes. the messages are exchanged as explained in my my previuos e-mail. sufficient means that if this authentication succeeds, the following authentication methods will not be checked...in other terms: auth required /lib/security/pam_unix_auth.so will be passed. I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! Again, any help would be appreciated! Hi, anyone??? pls!!! no suggestions at all ? :( I'd read the INSTALL doc that coems as part of the pam_radius tool. - cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so no. your invoking pam_radius_auth in the wrong place and for the wrong reason. again the INSTALL is your friend. your radius configuration appears to be correct alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Hi, I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug explain alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Hi! if you are reffering to this line: account required pam_radius_auth.so debug than here is the explanation: The pam configuration can be: ... auth sufficient /lib/security/pam_radius_auth.so [options] ... accountsufficient /lib/security/pam_radius_auth.so (this is taken from http://www.freeradius.org/pam_radius_auth/USAGE) On the other hand, I don't care if I don't use this module for accounting. As a matter of fact, I tried in many configurations, even without using it for accounting. The main concern is to succed in authetincating the users!!! if anyone can help me accomplish that, I would be happy and I will not mind about accounting... Hi, I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug explain alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
anyone??? pls!!! no suggestions at all ? :(
Pe 12 Oct 2006, la 12:46, [EMAIL PROTECTED] a scris:
Hello!
I try to authenticate ssh users logins using pam_radius_auth.so.
On my RedHat 9 I have the following setup:
- freeradius server
- users file:
testAuth-Type := Local, User-Password == test
- clients.conf
client 127.0.0.1 {
secret = secret
shortname = localhost
}
-pam radius module
- cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so
accountrequired pam_radius_auth.so debug
password required pam_stack.so service=system-auth
sessionrequired pam_stack.so service=system-auth
sessionrequired pam_limits.so
sessionoptional pam_console.so
-cat /etc/raddb/server
127.0.0.1 secret 1
- pam_radius_auth.so is copied in /lib/security
-I created linux user test with home directory /home/test , without setting up
a password
- freeradius started with radiusd -X
Problem is that, when I trie to connect to this machine using ssh, the radius
server receives the request, processes it, sends access-accept, but the ssh
session is ended, without the user being really logged in !!! I don't know the
reason why the user gets rejected...
tail -f /var/log/secure
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1108551052.
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: Got RADIUS response
code 2
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: authentication succeeded
Oct 12 11:06:27 D-Server sshd[26585]: Accepted password for test from
10.243.30.42 port 2847 ssh2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got user name test
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Sending RADIUS request
code 1
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1108551052.
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got RADIUS response
code 2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: authentication succeeded
Oct 12 11:28:30 D-Server sshd[26590]: Accepted password for test from
10.243.30.42 port 2881 ssh2
from radiusd -X :
rad_recv: Access-Request packet from host 127.0.0.1:27615, id=253, length=97
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Identifier = sshd
NAS-Port = 26590
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 512wyse83.cosmote.rom
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry test at line 80
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 253 to 127.0.0.1 port 27615
Finished request 0
thank you!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Hi, anyone??? pls!!! no suggestions at all ? :( I'd read the INSTALL doc that coems as part of the pam_radius tool. - cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so no. your invoking pam_radius_auth in the wrong place and for the wrong reason. again the INSTALL is your friend. your radius configuration appears to be correct alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam radius authentication
Hello!
I try to authenticate ssh users logins using pam_radius_auth.so.
On my RedHat 9 I have the following setup:
- freeradius server
- users file:
testAuth-Type := Local, User-Password == test
- clients.conf
client 127.0.0.1 {
secret = secret
shortname = localhost
}
-pam radius module
- cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so
accountrequired pam_radius_auth.so debug
password required pam_stack.so service=system-auth
sessionrequired pam_stack.so service=system-auth
sessionrequired pam_limits.so
sessionoptional pam_console.so
-cat /etc/raddb/server
127.0.0.1 secret 1
- pam_radius_auth.so is copied in /lib/security
-I created linux user test with home directory /home/test , without setting up
a password
- freeradius started with radiusd -X
Problem is that, when I trie to connect to this machine using ssh, the radius
server receives the request, processes it, sends access-accept, but the ssh
session is ended, without the user being really logged in !!! I don't know the
reason why the user gets rejected...
tail -f /var/log/secure
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1108551052.
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: Got RADIUS response code
2
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: authentication succeeded
Oct 12 11:06:27 D-Server sshd[26585]: Accepted password for test from
10.243.30.42 port 2847 ssh2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got user name test
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Sending RADIUS request
code 1
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1108551052.
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got RADIUS response code
2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: authentication succeeded
Oct 12 11:28:30 D-Server sshd[26590]: Accepted password for test from
10.243.30.42 port 2881 ssh2
from radiusd -X :
rad_recv: Access-Request packet from host 127.0.0.1:27615, id=253, length=97
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Identifier = sshd
NAS-Port = 26590
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 512wyse83.cosmote.rom
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry test at line 80
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 253 to 127.0.0.1 port 27615
Finished request 0
thank you!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
