Re: Freeradius: change user passwords through pam_radius
OK Alan thanks...do you know if is there any way that let users to change their own Radius passwords by themselves ??? Thanks again. Roberto 2013/5/27 Arran Cudbard-Bell a.cudba...@freeradius.org On 27 May 2013, at 18:03, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 27 May 2013, at 15:26, Roberto Carna robertocarn...@gmail.com wrote: Dear, I have a Linux box authenticating SSH users against Freeradius. It works OK. When the users go into the Linux box via SSH, I need them to change their own radius passwords. For this reason, I edited the /etc/pam.d/passwd file as follow: password sufficient pam_radius_auth.so @include common-auth in order to communicate with our freeradius and change the user's password executing the passwd command in the shell. But te passwords never chages and I get this error: Password: New password: New password (again): Enter new UNIX password: Retype new UNIX password: passwd: Authentication token manipulation error passwd: password unchanged is it possible to do what I want ?? No. Actually PAM radius code does have references to password change functionality. No idea how it works though. Recommend you RTFS. https://github.com/FreeRADIUS/pam_radius/blob/master/pam_radius_auth.c Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius: change user passwords through pam_radius
Roberto Carna wrote: OK Alan thanks...do you know if is there any way that let users to change their own Radius passwords by themselves ??? You were responding to Arran, not Alan. The only way for users to change the RADIUS password is to give them some kind of access to the database used by RADIUS. i.e. RADIUS doesn't store passwords. Databases store passwords. So changing passwords isn't a RADIUS issue. It's a database issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius: change user passwords through pam_radius
Dear, I have a Linux box authenticating SSH users against Freeradius. It works OK. When the users go into the Linux box via SSH, I need them to change their own radius passwords. For this reason, I edited the /etc/pam.d/passwd file as follow: passwordsufficient pam_radius_auth.so above the following line passwordinclude system-auth - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Freeradius: change user passwords through pam_radius
Dear, I have a Linux box authenticating SSH users against Freeradius. It works OK. When the users go into the Linux box via SSH, I need them to change their own radius passwords. For this reason, I edited the /etc/pam.d/passwd file as follow: password sufficient pam_radius_auth.so @include common-auth in order to communicate with our freeradius and change the user's password executing the passwd command in the shell. But te passwords never chages and I get this error: Password: New password: New password (again): Enter new UNIX password: Retype new UNIX password: passwd: Authentication token manipulation error passwd: password unchanged is it possible to do what I want ?? Special thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius: change user passwords through pam_radius
On 27 May 2013, at 15:26, Roberto Carna robertocarn...@gmail.com wrote: Dear, I have a Linux box authenticating SSH users against Freeradius. It works OK. When the users go into the Linux box via SSH, I need them to change their own radius passwords. For this reason, I edited the /etc/pam.d/passwd file as follow: password sufficient pam_radius_auth.so @include common-auth in order to communicate with our freeradius and change the user's password executing the passwd command in the shell. But te passwords never chages and I get this error: Password: New password: New password (again): Enter new UNIX password: Retype new UNIX password: passwd: Authentication token manipulation error passwd: password unchanged is it possible to do what I want ?? No. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius: change user passwords through pam_radius
On 27 May 2013, at 18:03, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 27 May 2013, at 15:26, Roberto Carna robertocarn...@gmail.com wrote: Dear, I have a Linux box authenticating SSH users against Freeradius. It works OK. When the users go into the Linux box via SSH, I need them to change their own radius passwords. For this reason, I edited the /etc/pam.d/passwd file as follow: password sufficient pam_radius_auth.so @include common-auth in order to communicate with our freeradius and change the user's password executing the passwd command in the shell. But te passwords never chages and I get this error: Password: New password: New password (again): Enter new UNIX password: Retype new UNIX password: passwd: Authentication token manipulation error passwd: password unchanged is it possible to do what I want ?? No. Actually PAM radius code does have references to password change functionality. No idea how it works though. Recommend you RTFS. https://github.com/FreeRADIUS/pam_radius/blob/master/pam_radius_auth.c Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius requires setting Auth-Type ?
Il 21/09/2012 12:34, Fajar A. Nugraha ha scritto: Sorry for being so late... What does your full debug looks like? Just edited passwords and trimmed clients... FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 24 2011 at 07:53:12 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = freerad group = freerad allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120
Re: pam_radius requires setting Auth-Type ?
On Mon, Sep 24, 2012 at 2:09 PM, NdK ndk.cla...@gmail.com wrote: Is it possible you DON'T have pap in authorize section? Nope. It's there: authorize { unibo_map_realms preprocess auth_log chap mschap digest suffix eap { ok = return } expiration logintime files pap } Is this sites-available/default? Or inner-tunnel? Your log for inner tunnel only shows this: server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module pap from file /etc/freeradius/modules/pap IIRC authorize should come before authenticate. Which means you probably don't have pap on authorize section of inner tunnel. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius requires setting Auth-Type ?
Il 24/09/2012 09:40, Fajar A. Nugraha ha scritto: Is this sites-available/default? Or inner-tunnel? sites-available/default . Your log for inner tunnel only shows this: server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module pap from file /etc/freeradius/modules/pap Maybe it doesn't instantiate it again since pap is already instantiated in default? IIRC authorize should come before authenticate. Which means you probably don't have pap on authorize section of inner tunnel. But it's there: authorize { unibo_map_realms chap mschap suffix ntdomain update control { Proxy-To-Realm := LOCAL } eap { ok = return } files expiration logintime pap } That's why I'm quite confused... BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius requires setting Auth-Type ?
Il 21/09/2012 13:04, Alan DeKok ha scritto: You probably deleted pap from the authorize section of raddb/sites-available/default. Nope... I'd (probably) have spotted that. Don't break the configurtion. I knew you'd (rightfully) say that :) Too bad I'm not the one that configured that server... I just told him that Auth-Type should not be manually set, so I'm now in charge of fixing the config :( I think I'll have to setup another machine and start from scratch, so to minimize impact (it's a lone production server! glip!). Once the new server is up running, I'll reformat the current one and clone the working config. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius requires setting Auth-Type ?
On 09/24/2012 08:09 AM, NdK wrote: Ready to process requests. That's not a full debug. There are no packets here. Gather a full debug. *Read* it, and the answer will be in there. If you can't spot it, then post it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius requires setting Auth-Type ?
On Mon, Sep 24, 2012 at 3:40 PM, NdK ndk.cla...@gmail.com wrote: That's why I'm quite confused... At this point it should be MUCH easier for you to restart from scratch, using fresh installation. Use Ubuntu 12.04, even on virtualbox is fine, possibly with freeradius/stable ppa to get latest FR version. Then add a test user, and do a simple test with radtest. It will work without setting auth-type. Once you get that working, start comparing it with current setup to see what went wrong. One way to do that is start with the working test configuration above, then making incremental minimal changes to make it closer to your current setip. During each step make sure you test the effect. And have a control system for your config file to record the changes on each step (git works great for this purpose). -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius requires setting Auth-Type ?
Hello all. We just added pam_radius to our vpn host, to authenticate vpn users throught our (working) RADIUS server. IIUC pam_radius is sending a PAP message: Access-Request packet from host 192.168.130.61 port 9327, id=233, length=99 User-Name = STUDENTI\\studente.fittizio User-Password = my-cleartext-password NAS-IP-Address = 130.136.152.6 NAS-Identifier = openvpn NAS-Port = 8302 NAS-Port-Type = Virtual Service-Type = Authenticate-Only But if I don't add (in users file) a line like: DEFAULT NAS-Identifier == openvpn, Auth-Type := PAP FR complains: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user IIUC, Auth-Type should never be set manually, so I'm quite sure I'm missing something... Could you please point me in the right direction? Tks. BYtE, Diego. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius requires setting Auth-Type ?
On Fri, Sep 21, 2012 at 5:24 PM, NdK ndk.cla...@gmail.com wrote: Hello all. We just added pam_radius to our vpn host, to authenticate vpn users throught our (working) RADIUS server. IIUC pam_radius is sending a PAP message: Access-Request packet from host 192.168.130.61 port 9327, id=233, length=99 User-Name = STUDENTI\\studente.fittizio User-Password = my-cleartext-password NAS-IP-Address = 130.136.152.6 NAS-Identifier = openvpn NAS-Port = 8302 NAS-Port-Type = Virtual Service-Type = Authenticate-Only But if I don't add (in users file) a line like: DEFAULT NAS-Identifier == openvpn, Auth-Type := PAP FR complains: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user IIUC, Auth-Type should never be set manually, so I'm quite sure I'm missing something... Could you please point me in the right direction? What does your full debug looks like? Is it possible you DON'T have pap in authorize section? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius requires setting Auth-Type ?
NdK wrote: We just added pam_radius to our vpn host, to authenticate vpn users throught our (working) RADIUS server. IIUC pam_radius is sending a PAP message: ... But if I don't add (in users file) a line like: DEFAULT NAS-Identifier == openvpn, Auth-Type := PAP FR complains: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user You probably deleted pap from the authorize section of raddb/sites-available/default. IIUC, Auth-Type should never be set manually, so I'm quite sure I'm missing something... Could you please point me in the right direction? Don't break the configurtion. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh authentication failed problem use freeradius pam_radius
Is there anyone to contribute this fix? -- View this message in context: http://freeradius.1045715.n5.nabble.com/ssh-authentication-failed-problem-use-freeradius-pam-radius-tp5687733p5713353.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh authentication failed problem use freeradius pam_radius
The pam_radius_auth module is installed on linux, and if the user-A is not created in local and only existed in remote radius server. In following function() in pam_radius_auth.c, the *password always is INCORRECT +code+ static int rad_converse(pam_handle_t *pamh, int msg_style, char *message, char **password) { CONST struct pam_conv *conv; struct pam_message resp_msg; CONST struct pam_message *msg[1]; struct pam_response *resp = NULL; int retval; resp_msg.msg_style = msg_style; resp_msg.msg = message; msg[0] = resp_msg; /* grab the password */ retval = pam_get_item(pamh, PAM_CONV, (CONST void **) conv); PAM_FAIL_CHECK; retval = conv-conv(1, msg, resp,conv-appdata_ptr); it seems the resp is saved some useful info. PAM_FAIL_CHECK; if (password) { /* assume msg.type needs a response */ /* I'm not sure if this next bit is necessary on Linux */ _pam_log(LOG_ERR, enter in); #ifdef sun /* NULL response, fail authentication */ if ((resp == NULL) || (resp-resp == NULL)) { return PAM_SYSTEM_ERR; } #endif *password = resp-resp; saved the retrun value to *password. (value is INCORRECT) free(resp); } return PAM_SUCCESS; } +code+ Not familiar with this module, can anybody give some instrutions? -- View this message in context: http://freeradius.1045715.n5.nabble.com/ssh-authentication-failed-problem-use-freeradius-pam-radius-tp5687733p5713359.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh authentication failed problem use freeradius pam_radius
On Thu, May 24, 2012 at 9:44 PM, sam jianxue...@alcatel-lucent.com wrote: The pam_radius_auth module is installed on linux, and if the user-A is not created in local and only existed in remote radius server. In following function() in pam_radius_auth.c, the *password always is INCORRECT That is the expected behavior. For pam to work, the user needs to exist in whatever user db it recognize (in this case, local user). Not familiar with this module, can anybody give some instrutions? Had you read the previous messages, you'd know that if you want to modify something, it'd be in pam, and NOT in pam_radius plugin. Possibly by using nss_mysql and getting it to use the same data that FR is using (with the help of views, or whatever). But since you decide to ignore it anyway and insist on focusing your efforts on pam_radius_auth.c, you're pretty much on your own. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh authentication failed problem use freeradius pam_radius
mu...@yahoo.cnwrote: This is an issue with PAM on the client machine. Some other module is doing password checking. When the password check fails, it re-sets the password to INCORRECT. That password is then sent to the pam_radius module. Go fix the client so that the PAM modules don't change the password. My /etc/pam.d/sshd file contains the following settings: I had a similar problem today. PAM considered the user illegal because the uid in question was unknown on the machine to be accessed by ssh. Adding the user locally was required anyway, I had forgotten that on that particular machine, there are only local accounts. HTH (and thanx to Alan) Martin -- Dr. Martin Pauly Phone: +49-6421-28-23527 HRZ Univ. MarburgFax:+49-6421-28-26994 Hans-Meerwein-Str. E-Mail: pa...@hrz.uni-marburg.de D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ssh authentication failed problem use freeradius pam_radius
Hi everyone, I am trying to use pam_radius to authenticate SSH login.My system is Centos 5.6 64bit. When I try to authenticate with ssh but failed,I am sure the shared secret is correct. Freeradius got the following logs: rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password ? INCORRECT [pap] Using clear text password [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password.Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject And by the way,is it possible to create a ssh user on NAS after the first time successful authentication.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh authentication failed problem use freeradius pam_radius
小牧 wrote: I am trying to use pam_radius to authenticate SSH login.My system is Centos 5.6 64bit. When I try to authenticate with ssh but failed,I am sure the shared secret is correct. The shared secret is correct. [pap] login attempt with password ? INCORRECT This is an issue with PAM on the client machine. Some other module is doing password checking. When the password check fails, it re-sets the password to INCORRECT. That password is then sent to the pam_radius module. Go fix the client so that the PAM modules don't change the password. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ssh authentication failed problem use freeradius pam_radius
Hello,Alan. Thank you for you response. Alan wrote: This is an issue with PAM on the client machine. Some other module is doing password checking. When the password check fails, it re-sets the password to INCORRECT. That password is then sent to the pam_radius module. Go fix the client so that the PAM modules don't change the password. My /etc/pam.d/sshd file contains the following settings: -bash-3.2# cat sshd #%PAM-1.0 auth sufficient pam_radius_auth.so debug auth include system-auth accountsufficient pam_radius_auth.so accountrequired pam_nologin.so accountinclude system-auth password sufficient pam_radius_auth.so password include system-auth sessionsufficient pam_radius_auth.so sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius not using /etc/raddb/server
I have a client system that seems to be ignoring changes in the pam_radius config file, /etc/raddb/server. I initially configured the system with a simple shared secret and had it pointed to a test server and now when I change the file /etc/raddb/server the client still talks to the test server instead of the new freeradius server. I even added the test server IP address to the new freeradius server and verified that the client is even still using the old simple shared secret. I've gone as far as completely removing the /etc/raddb/server file and the client continues to use the previous config. What am I missing? The system has been rebooted numerous times. -- View this message in context: http://freeradius.1045715.n5.nabble.com/pam-radius-not-using-etc-raddb-server-tp5627583p5627583.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius not using /etc/raddb/server
g17jimmy wrote: I have a client system that seems to be ignoring changes in the pam_radius config file, /etc/raddb/server. I initially configured the system with a simple shared secret and had it pointed to a test server and now when I change the file /etc/raddb/server the client still talks to the test server instead of the new freeradius server. I even added the test server IP address to the new freeradius server and verified that the client is even still using the old simple shared secret. I've gone as far as completely removing the /etc/raddb/server file and the client continues to use the previous config. What am I missing? The system has been rebooted numerous times. It's likely that the configuration file for the pam_radius_auth module has been moved. Find out where it is, and edit that. If the module talks to the server when the config file doesn't exist, it's because it's using a different config file. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius not using /etc/raddb/server
Thanks, Alan. I definitely suspected both of the things you suggest, but I initially installed this system and configured it, so I'm really confused as to how this alternate configuration came to be. I found the rogue configuration in the file /etc/pam_radius.conf . Unless I did that one evening after a few beers and just don't recall, I maintain that I didn't create the file. ;) Thanks again. -- View this message in context: http://freeradius.1045715.n5.nabble.com/pam-radius-not-using-etc-raddb-server-tp5627583p5627834.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes
Greetings: We recently had a customer that wanted to check a password against AD via kerberos and then an one-time passcode against a WiKID Strong Authentication server via radius. We found that PAM passed the AD password to our OTP server, which failed. We have added a pam option always prompt in the attached code. This will force a WiKID passcode: prompt regardless of any previous password entry. This can be changed, of course. The /etc/pam.d/sshd file looks like: Here's the /etc/pam.d/sshd: #%PAM-1.0 auth required /lib/security/pam_krb5.so auth requisite /lib/security/pam_radius_auth.so always_prompt account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so No changes to system-auth were made. The /etc/ssh/sshd_config looks like: Protocol 2 SyslogFacility AUTHPRIV PasswordAuthentication yes ChallengeResponseAuthentication yes GSSAPIAuthentication yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding yes UseDNS no Subsystem sftp /usr/libexec/openssh/sftp-server The key change is that ChallengeResponseAuthentication is yes. Hopefully, others will find this of use. Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication 124a125,128 } else if (!strcmp(*argv, always_prompt)) { ctrl |= PAM_ALWAYS_PROMPT; DPRINT(LOG_DEBUG, DEBUG: Got always_prompt option); 1134,1136c1138,1149 /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; --- /* if always_propmpt is specified grab the passcode from the user */ if ((ctrl PAM_ALWAYS_PROMPT)) { DPRINT(LOG_DEBUG, Should prompt for the passcode now...); retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password); password = strdup(password); DPRINT(LOG_DEBUG, Got passcode %s, password); PAM_FAIL_CHECK; } else { /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; } 1149c1162 --- 1154d1166 124a125,127 } else if (!strcmp(*argv, always_prompt)) { ctrl |= PAM_ALWAYS_PROMPT; 1134,1136c1137,1146 /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; --- /* if always_propmpt is specified grab the passcode from the user */ if ((ctrl PAM_ALWAYS_PROMPT)) { retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password); password = strdup(password); PAM_FAIL_CHECK; } else { /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; } 1149c1159 --- 1154d1163 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: patch files for pam_radius - adding an 'Always Prompt' option for?one-time passcodes
Nick Owen no...@wikidsystems.com wrote: We recently had a customer that wanted to check a password against AD via kerberos and then an one-time passcode against a WiKID Strong Authentication server via radius. We found that PAM passed the AD password to our OTP server, which failed. We have added a pam option always prompt in the attached code. This will force a WiKID passcode: prompt regardless of any previous password entry. This can be changed, of course. Better to lead with the OTP as then you fend off brute force and dictionary attacks. Cheers -- Alexander Clouter .sigmonster says: If you had any brains, you'd be dangerous. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
patch files for pam_radius - adding an 'Always Prompt' option for one-time passcodes
We recently had a customer that wanted to check a password against AD via kerberos and then an one-time passcode against a WiKID Strong Authentication server via radius. We found that PAM passed the AD password to our OTP server, which failed. We have added a pam option always prompt in the attached code. This will force a WiKID passcode: prompt regardless of any previous password entry. The /etc/pam.d/sshd file looks like: Here's the /etc/pam.d/sshd: #%PAM-1.0 auth required /lib/security/pam_krb5.so auth requisite /lib/security/pam_radius_auth.so always_prompt accountrequired pam_nologin.so accountinclude system-auth password include system-auth sessionoptional pam_keyinit.so force revoke sessioninclude system-auth sessionrequired pam_loginuid.so No changes to system-auth were made. The /etc/ssh/sshd_config looks like: Protocol 2 SyslogFacility AUTHPRIV PasswordAuthentication yes ChallengeResponseAuthentication yes GSSAPIAuthentication yes UsePAM yes AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL X11Forwarding yes UseDNS no Subsystem sftp/usr/libexec/openssh/sftp-server The key change is that ChallengeResponseAuthentication is yes. Hopefully, others will find this of use. Nick -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication 124a125,128 } else if (!strcmp(*argv, always_prompt)) { ctrl |= PAM_ALWAYS_PROMPT; DPRINT(LOG_DEBUG, DEBUG: Got always_prompt option); 1134,1136c1138,1149 /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; --- /* if always_propmpt is specified grab the passcode from the user */ if ((ctrl PAM_ALWAYS_PROMPT)) { DPRINT(LOG_DEBUG, Should prompt for the passcode now...); retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password); password = strdup(password); DPRINT(LOG_DEBUG, Got passcode %s, password); PAM_FAIL_CHECK; } else { /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; } 1149c1162 --- 1154d1166 124a125,127 } else if (!strcmp(*argv, always_prompt)) { ctrl |= PAM_ALWAYS_PROMPT; 1134,1136c1137,1146 /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; --- /* if always_propmpt is specified grab the passcode from the user */ if ((ctrl PAM_ALWAYS_PROMPT)) { retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, WiKID Passcode: , password); password = strdup(password); PAM_FAIL_CHECK; } else { /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); PAM_FAIL_CHECK; } 1149c1159 --- 1154d1163 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS or supplicant, pam_radius or xsupplicant
Hi All I have to install a FreeRADIUS to authenticate some users on network equipement (like a Catalyst cisco). I just want to authenticate users on the cisco switch, no vlan attribution ... So i conclude that I don't have to install/configure supplicant on my computer (windows XP), the computer I use to contact the switch via telnet/ssh. Could you confirm me that I'm right ? I would like also to authenticate users on UNIX servers. Also, I just need to authenticate the users on servers, So I conclude that I configure pam_radius on these servers and no install/configure xsupllicant. Servers are RADIUS client/NAS and no supplicant. Of course I would like to have a safe communication beetween NAS and FreeRADIUS. Could you say me if I selected the good configuration, or if I am totally wrong. I read comments in files configuration and a lot of documentation on the web, but the case described are often with supplicant - NAS - FreeRADIUS, with Authentication on the supplicant for vlan attribution. I don't understand wery well when I have to install xsupplicant or pam_radius on my server UNIX, if my Server is a supplicant or a NAS. Thanks for your help François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius authentication problem - no password?
Hi, I have problems using pam_radius to authenticate users using our freeradius server. I want to use it with openvpn but tested it with ssh. The new part of my /etc/pam.d/ssh looks like: # /etc/security/pam_env.conf. auth required pam_env.so # [1] auth sufficient /lib/security/pam_radius_auth.so debug try_first_pass To nail the problem down I added some debug info to pam_radius_auth.c: /* grab the password (if any) from the previous authentication layer */ retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) password); DPRINT(LOG_DEBUG, Get password retval: %d, %d, retval, PAM_SUCCESS); PAM_FAIL_CHECK; DPRINT(LOG_DEBUG, X Got password %s, password); if(password) { password = strdup(password); DPRINT(LOG_DEBUG, Got password %s, password); } My auth.log file then says: Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Got user name enno Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Get password retval: 0, 0 Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: X Got password (null) Apr 15 13:55:04 openvpnserver sshd[29747]: pam_radius_auth: Sending RADIUS request code 1 Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth: RADIUS server our_radius_server failed to respond Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth: All RADIUS servers failed to respond. Apr 15 13:55:09 openvpnserver sshd[29747]: pam_radius_auth: authentication failed There seem to be problems connecting to the radius server sometimes, but I think this isn't the problem here. When the connection works, I get radius response code 3 (afair). I'm testing this on the target machine (openvpn server) using ssh -l enno 127.0.0.1 and some random password (first I tried with the correct password and then started debugging). Looking at the code of pam_radius_auth.c and at the output of auth.log I would say the call to pam seems to not return the AUTHTOK. The call succedes, but the password pointer is NULL. Any ideas? Thanks in advance Enno Gröper signature.asc Description: Dies ist ein digital signierter Nachrichtenteil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius authentication problem - no password?
Enno wrote: I'm testing this on the target machine (openvpn server) using ssh -l enno 127.0.0.1 and some random password (first I tried with the correct password and then started debugging). Looking at the code of pam_radius_auth.c and at the output of auth.log I would say the call to pam seems to not return the AUTHTOK. The call succedes, but the password pointer is NULL. Any ideas? Ask the core PAM libraries why they're not returning the password. i.e. this is a PAM problem. The pam_auth_radius module is working correctly. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius on RHEL AS4 (64-bit)
I compiled the latest pam_radius-1.3.17, on Red Hat Linux AS 4.0 Update4. When I ran 'make', I got: cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1102: warning: assignment from incompatible pointer type cc -Wall -fPIC -c -o md5.o md5.c ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so -and it looked like it created the 'pam_radius_auth.so. When I 'file pam_radius_auth.so', it shows: pam_radius_auth.so: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), not stripped which to me looks fine, and added it to /lib/security. I added auth sufficient pam_radius_auth.so to /etc/pam.d/sshd and authsufficient/lib/security/pam_radius_auth.so to /etc/pam.d/ system.auth files. I tested w/ ssh, it doesn't authenticate. Will it work w/ 64- bit? Thanks. -Gabe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius: mutiple bad logins hitting radius server
J S wrote: I'm running pam_radius 1.3.16 on Solaris 10 using a Cisco ACS backend that authenticates to an MS AD server. I'm running into an issue where a user will fail a single login attempt (one username/password challenge with a bad password) and the ACS will record 3 attempts from the client (the Solaris 10 server). after a single attempt (or a valid login with a local password) the 3 fails bollixes up the AD login attempts and locks the user out. Am I missing a compile option to only attempt a single RADIUS login per authentication or do I possible have pam.conf misconfigured. I use sshd-kbdint and sshd-password with the same results. Otherwise the system works well. The module will re-send the request if it doesn't get a response from the RADIUS server. Or, if the response is sent from the wrong IP (i.e. the RADIUS server has multiple IP's). Or, if the shared secret is incorrect. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius: mutiple bad logins hitting radius server
That's good to know. What seems odd, though, is that it resends the same request in quick, sub-second succession (based on the RADIUS server logs). This case has a single RADIUS server at a single IP and a single secret that works when the correct password is sent (and only 1 log entry), but a wrong entry is 3 failures. On 4/24/07, Alan DeKok [EMAIL PROTECTED] wrote: J S wrote: I'm running pam_radius 1.3.16 on Solaris 10 using a Cisco ACS backend that authenticates to an MS AD server. I'm running into an issue where a user will fail a single login attempt (one username/password challenge with a bad password) and the ACS will record 3 attempts from the client (the Solaris 10 server). after a single attempt (or a valid login with a local password) the 3 fails bollixes up the AD login attempts and locks the user out. Am I missing a compile option to only attempt a single RADIUS login per authentication or do I possible have pam.conf misconfigured. I use sshd-kbdint and sshd-password with the same results. Otherwise the system works well. The module will re-send the request if it doesn't get a response from the RADIUS server. Or, if the response is sent from the wrong IP (i.e. the RADIUS server has multiple IP's). Or, if the shared secret is incorrect. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius: mutiple bad logins hitting radius server
J S wrote: That's good to know. What seems odd, though, is that it resends the same request in quick, sub-second succession (based on the RADIUS server logs). Well, that's a problem. The intent of the module is to wait for the timeout before sending the next packet. Something appears to be waking the module up early, but I'm not sure what to suggest. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius: mutiple bad logins hitting radius server
I'm running pam_radius 1.3.16 on Solaris 10 using a Cisco ACS backend that authenticates to an MS AD server. I'm running into an issue where a user will fail a single login attempt (one username/password challenge with a bad password) and the ACS will record 3 attempts from the client (the Solaris 10 server). after a single attempt (or a valid login with a local password) the 3 fails bollixes up the AD login attempts and locks the user out. Am I missing a compile option to only attempt a single RADIUS login per authentication or do I possible have pam.conf misconfigured. I use sshd-kbdint and sshd-password with the same results. Otherwise the system works well. # pam_radius_auth configuration file. Copy to: /etc/raddb/server # # For proper security, this file SHOULD have permissions 0600, # that is readable by root, and NO ONE else. If anyone other than # root can read this file, then they can spoof responses from the server! # # There are 3 fields per line in this file. There may be multiple # lines. Blank lines or lines beginning with '#' are treated as # comments, and are ignored. The fields are: # # server[:port] secret [timeout] # # the port name or number is optional. The default port name is # radius, and is looked up from /etc/services The timeout field is # optional. The default timeout is 3 seconds. # # If multiple RADIUS server lines exist, they are tried in order. The # first server to return success or failure causes the module to return # success or failure. Only if a server fails to response is it skipped, # and the next server in turn is used. # # The timeout field controls how many seconds the module waits before # deciding that the server has failed to respond. # # server[:port] shared_secret timeout (s) #127.0.0.1 secret 1 #other-serverother-secret 3 localhost secret 3 10.0.0.10:2048 3 # # having localhost in your radius configuration is a Good Thing. # # See the INSTALL file for pam.conf hints. bash-3.00# cat /etc/pam.conf # #ident @(#)pam.conf 1.2804/04/21 SMI # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # # PAM configuration # # Unless explicitly defined, all services use the modules # defined in the other section. # # Modules are defined with relative pathnames, i.e., they are # relative to /usr/lib/security/$ISA. Absolute path names, as # present in this file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth sufficient /usr/lib/security/pam_radius_auth.so.1 debug login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1 login auth required pam_dial_auth.so.1 # telnet authsufficient /usr/lib/security/pam_radius_auth.so.1 debug #telnet authrequired/usr/lib/security/pam_unix.so.1 # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth required pam_unix_auth.so.1 # # Kerberized rlogin service # krlogin auth required pam_unix_cred.so.1 krlogin auth bindingpam_krb5.so.1 krlogin auth required pam_unix_auth.so.1 # # rsh service (explicit because of pam_rhost_auth, # and pam_unix_auth for meaningful pam_setcred) # rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 # # Kerberized rsh service # krshauth required pam_unix_cred.so.1 krshauth bindingpam_krb5.so.1 krshauth required pam_unix_auth.so.1 # # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth bindingpam_krb5.so.1 ktelnet auth required pam_unix_auth.so.1 # # PPP service (explicit because of pam_dial_auth) # ppp auth requisite pam_authtok_get.so.1 ppp auth required pam_dhkeys.so.1 ppp auth required pam_unix_cred.so.1 ppp auth required pam_unix_auth.so.1 ppp auth required pam_dial_auth.so.1 # # Default definitions for Authentication management # Used when service name is not explicitly mentioned for authentication # other auth requisite pam_authtok_get.so.1 other auth required pam_dhkeys.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 # # passwd command (explicit because of a different authentication module) # passwd auth required pam_passwd_auth.so.1 # # cron service (explicit because of non-usage of pam_roles.so.1) # cronaccount
PAM_RADIUS
Hi, I'd like to know if FreeRadius Pam_RADIUS is still up to date ? Do you have any suggest to make it work with Red Hat Entreprise Linux 4 ? Thanks, Thomas- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM_RADIUS
OK authentication works but not accounting whereas i have in etc/pam.d/system-auth : account sufficient /lib/security/$ISA/pam_radius_auth.so any idea why my REDHAT does not send any accounting ? Thomas Message du 23/02/07 à 17h39 De : [EMAIL PROTECTED] A : freeradius-users@lists.freeradius.org Copie à : Objet : PAM_RADIUS Hi, I'd like to know if FreeRadius Pam_RADIUS is still up to date ? Do you have any suggest to make it work with Red Hat Entreprise Linux 4 ? Thanks, Thomas [ (pas de nom de fichier) (0.1 Ko) ]- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HP-UX and AIX pam_radius problem
hi everybody, i have a problem with radius module for PAM. When i compile the source of pam_radius-1.3.16.tar, i got a lot of erros. I applied patch's available in the list, but the problems persists.In the HP-UX enviroments the messages are: begin [root] patch_pam_radius make gcc -z -fPIC -c pam_radius_auth.c -o pam_radius_auth.opam_radius_auth.c: In function 'talk_radius':pam_radius_auth.c:885: warning: passing argument 6 of 'recvfrom' from incompatible pointer type pam_radius_auth.c: In function 'rad_converse':pam_radius_auth.c:1021: warning: passing argument 3 of 'pam_get_item' from incompatible pointer typepam_radius_auth.c:1024: warning: passing argument 2 of 'conv-conv' from incompatible pointer type pam_radius_auth.c: In function 'pam_sm_authenticate':pam_radius_auth.c:1076: warning: passing argument 2 of 'pam_get_user' from incompatible pointer typepam_radius_auth.c:1104: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type pam_radius_auth.c:1118: warning: passing argument 3 of 'pam_get_item' from incompatible pointer typepam_radius_auth.c:1151: warning: passing argument 3 of 'pam_get_item' from incompatible pointer typepam_radius_auth.c: In function 'pam_sm_setcred': pam_radius_auth.c:1247: warning: passing argument 3 of 'pam_get_data' from incompatible pointer typepam_radius_auth.c: In function 'pam_private_session':pam_radius_auth.c:1272: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type pam_radius_auth.c:1293: warning: passing argument 3 of 'pam_get_item' from incompatible pointer typepam_radius_auth.c: In function 'pam_sm_chauthtok':pam_radius_auth.c:1379: warning: passing argument 2 of 'pam_get_user' from incompatible pointer type pam_radius_auth.c:1400: warning: passing argument 3 of 'pam_get_item' from incompatible pointer typepam_radius_auth.c:1409: warning: passing argument 3 of 'pam_get_item' from incompatible pointer typepam_radius_auth.c:1414: warning: passing argument 3 of 'pam_get_item' from incompatible pointer type gcc -z -fPIC -c md5.c ld -b pam_radius_auth.o md5.o -lpam -o pam_radius_auth.sopatch_pam_radiusend Apparently it compels but the pam_radius_auth.so not work, it causes a problem in sshd, follow the error: sshd[20783]: reverse mapping checking getaddrinfo for x.x.xxx - POSSIBLE BREAKIN ATTEMPT!I Apply this patch for HP-UX:=== Begin output listing from diff -u===diff -u clean/pam_radius-1.3.16/Makefile pam_radius-1.3.16/Makefile--- clean/pam_radius-1.3.16 /Makefile2003-09-19 10:41:45.0 -0400+++ pam_radius-1.3.16/Makefile 2003-12-23 11:21:26.0 -0500@@ -15,7 +15,10 @@ # # If you're not using GCC, then you'll have to change the CFLAGS. #-CFLAGS = -Wall -fPIC +#CFLAGS = -Wall -fPIC+# Added by jl 12/09/2003 for HP-UX+CFLAGS = +DAportable +DSPA7100 +z+# End Add jl # # On Irix, use this with MIPSPRo C Compiler, and don't forget to exportCC=cc # gcc on Irix does not work yet for pam_radius @@ -55,7 +58,10 @@ # gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so # pam_radius_auth.so: pam_radius_auth.o md5.o- ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so +# ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so+# Added by jl 12/09/2003 for HP-UX+ ld -b pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so+# End add jl ## #diff -u clean/pam_radius-1.3.16/md5.c pam_radius-1.3.16/md5.c--- clean/pam_radius-1.3.16/md5.c 2002-06-28 02:29:21.0 -0400+++ pam_radius-1.3.16/md5.c 2004-01-12 11:58:22.0 -0500 @@ -43,6 +43,12 @@ #define HIGHFIRST #endif+/* 01/12/2004 jl - Added for HPUX compiles */+#ifdef _INCLUDE_HPUX_SOURCE+#define HIGHFIRST+#endif+/* END jl */+ #ifndef HIGHFIRST #define byteReverse(buf, len) /* Nothing */ #elsediff -u clean/pam_radius-1.3.16/md5.h pam_radius-1.3.16/md5.h--- clean/pam_radius-1.3.16/md5.h 2003-04-29 16:19:16.0 -0400+++ pam_radius-1.3.16 /md5.h 2003-12-16 11:33:55.0 -0500@@ -15,7 +15,10 @@ #define MD5Transform pra_MD5Transform #include sys/types.h-#define uint32 u_int32_t+/* Added by jl */+/* #define u_int32_t unsigned int */ +/* #define uint32 u_int32_t */+#define uint32 uint32_t struct MD5Context { uint32 buf[4];Only in pam_radius-1.3.16: md5.odiff -u clean/pam_radius-1.3.16/pam_radius_auth.cpam_radius- 1.3.16/pam_radius_auth.c--- clean/pam_radius-1.3.16/pam_radius_auth.c 2003-02-2713:01:07.0 -0500+++ pam_radius-1.3.16/pam_radius_auth.c 2004-01-12 12:00:52.0 -0500@@ -58,6 +58,11 @@ #ifdef sun #include security/pam_appl.h #endif+/* Added by jl 12/09/2003 */+#ifdef _INCLUDE_HPUX_SOURCE+#include security/pam_appl.h+#endif+/* End add jl */ #include security/pam_modules.h #include
why pam_radius library send pakcet twice??? Why?
I'm make pam_client with pam_radius.so. pam_client- pam_radius.so--- raidius_demon application layer: pam_chauthtok() once call. library layer: pam_sm_chauthtok() twice call: request send twice.. I don't know reason. Help me please. ☞ 카트라이더가 지겹다면? 이제는 인라인 레이싱게임 Xplay! ☜ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius and Cisco ACS
I have been tasked with having all non windows devices on our network to authenticate against our Active Directory, which is the reason we are using Cisco ACS. ACS currently authenticates for all cisco devices against our AD, via the external windows database option. I am now trying to get pam_radius to do the same with ACS's radius. I have compiled pam_radius and it appears to be working as intended, however Cisco ACS reports External DB User Invalid or bad password anytime I try to use the same credentials that properly authenticate with ACS's tacacs on a linux or freebsd server. The username shows up properly on the ACS server, so I am assuming that the NAS is sending the proper username, but it appears that the password is not being sent correctly. I know the ACS server is trying to authenticate against AD because after so many tries the account get's locked out. Has anyone been able to accomplish what I am trying to do here? Any suggestions besides lose ACS to get this to work? Is there something I can pass to the pam_radius module to have it transmit the password the way the ACS server is expecting to see it? I appreciate any help or suggestions anyone can provide in advance. Thank you, Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius and Cisco ACS
Tom [EMAIL PROTECTED] wrote: I have compiled pam_radius and it appears to be working as intended, however Cisco ACS reports External DB User Invalid or bad password anytime I try to use the same credentials that properly authenticate with ACS's tacacs on a linux or freebsd server. The username shows up properly on the ACS server, so I am assuming that the NAS is sending the proper username, but it appears that the password is not being sent correctly. I know the ACS server is trying to authenticate against AD because after so many tries the account get's locked out. Is it a shared secret problem? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius and Cisco ACS
No, the shared secret is correct, otherwise the ACS would show that as being the error and wouldn't be trying to authenticate the user against the windows AD. I thought this might have been the issue until I purposely used the wrong secret and there were different error's. On 2/15/06, Alan DeKok [EMAIL PROTECTED] wrote: Tom [EMAIL PROTECTED] wrote: I have compiled pam_radius and it appears to be working as intended, however Cisco ACS reports External DB User Invalid or bad password anytime I try to use the same credentials that properly authenticate with ACS's tacacs on a linux or freebsd server. The username shows up properly on the ACS server, so I am assuming that the NAS is sending the proper username, but it appears that the password is not being sent correctly. I know the ACS server is trying to authenticate against AD because after so many tries the account get's locked out. Is it a shared secret problem? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Thomas Jones Jr. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius and Cisco ACS
Tom [EMAIL PROTECTED] wrote: No, the shared secret is correct, otherwise the ACS would show that as being the error RADIUS doesn't work like that. If there's no Message-Authenticator in the packet (and pam_radius doesn't send one), then the server can't tell that the secret is wrong. It can guess, (e.g. the messages FreeRADIUS produces), but it has no way of knowing for sure. I thought this might have been the issue until I purposely used the wrong secret and there were different error's. If ACS can decode the password properly, then the shared secret is correct, and it *should* authenticate the user. If the shared secret is incorrect, then it will decode the password to random nonsense, and authentication will fail. RADIUS is really that simple. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
solaris 8 compilation problem of pam_radius
Hi, I want to use the client function of free-radius, but I've got a problem while compiling the pam_radius-1.3.16 module under solaris 8: Any ideas are welcome!!! Thanks Peter hqwww01tban{root} @: make gcc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o In file included from pam_radius_auth.h:23, from pam_radius_auth.c:63: md5.h:21: error: parse error before u_int32_t md5.h:21: warning: no semicolon at end of struct or union md5.h:22: warning: type defaults to `int' in declaration of `bits' md5.h:22: warning: data definition has no type or storage class md5.h:24: error: parse error before '}' token md5.h:29: error: parse error before buf pam_radius_auth.c: In function `ipstr2long': pam_radius_auth.c:179: warning: subscript has type `char' pam_radius_auth.c: In function `good_ipaddr': pam_radius_auth.c:215: warning: subscript has type `char' pam_radius_auth.c: In function `host2server': pam_radius_auth.c:271: warning: subscript has type `char' pam_radius_auth.c: In function `get_random_vector': pam_radius_auth.c:350: error: storage size of `my_md5' isn't known pam_radius_auth.c:350: warning: unused variable `my_md5' pam_radius_auth.c: In function `get_accounting_vector': pam_radius_auth.c:382: error: storage size of `my_md5' isn't known pam_radius_auth.c:382: warning: unused variable `my_md5' pam_radius_auth.c: In function `verify_packet': pam_radius_auth.c:400: error: storage size of `my_md5' isn't known pam_radius_auth.c:400: warning: unused variable `my_md5' pam_radius_auth.c: In function `add_password': pam_radius_auth.c:497: error: storage size of `md5_secret' isn't known pam_radius_auth.c:497: error: storage size of `my_md5' isn't known pam_radius_auth.c:497: warning: unused variable `md5_secret' pam_radius_auth.c:497: warning: unused variable `my_md5' pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1016: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1019: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1071: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1099: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1113: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1146: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_private_session': pam_radius_auth.c:1267: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1288: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1374: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1395: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1404: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1409: warning: passing arg 3 of `pam_get_item' from incompatible pointer type make: *** [pam_radius_auth.o] Error 1 hqwww01tban{root} @: -- Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko! Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: solaris 8 compilation problem of pam_radius
hallo peter, i'd compiling-problems with freeradius-1.0.5 on solaris10 (sparc). Following config solved the problem: To getting run freeradius-1.0.5 on Solaris 10 (SPARC) set up the following before compiling (https://list.xs4all.nl/pipermail/freeradius-users/2005-November/048278.html) uname -a: SunOS r220 5.10 Generic sun4u sparc SUNW,Ultra-60 $CC /usr/local/bin/gcc $LD_LIBRARY_PATH /usr/sfw/lib/sparcv9/:/lib/sparcv9/:/usr/sfw/lib/:/lib:/usr/lib:/usr/local/lib:/usr/local/X11/lib:/usr/dt/lib:/usr/openwin/lib/:/usr/local/ssl/lib $PATH /usr/sbin:/usr/bin:/opt/sfw/bin/:/opt/sfw/sbin/:/sbin/:/usr/sbin/:/usr/ccs/bin/:/usr/local/bin:/usr/local/sbin/:/usr/local/ssl/bin/:/usr/local/ssl/misc/:/usr/sfw/bin:/opt/sfw/bin/:/usr/sfw/bin pkginfo | grep gcc utility GNUgcc GNU gcc 3.4.4 SPARC 64bit Solaris 10 (installed in /usr/local) system SUNWgcc gcc - The GNU C compiler system SUNWgccruntime GCC Runtime libraries /usr/local/bin/gcc -v read specs from /usr/local/lib/gcc/sparc64-sun-solaris2.10/3.4.4/specs configured with: /var/tmp/gcc-3.4.4/configure --prefix=/usr/local --host=sparc64-sun-solaris2.10 --enable-threads=posix --with-gxx-include-dir=/usr/local/include/g++ --with-system-zlib --enable-shared --with-ld=/usr/ccs/bin/ld --without-gnu-ld Thread-Modell: posix gcc-Version 3.4.4 ! IMPORTANT: SETTING THE 'CFLAGS' before 'configure' !!! CLFAGS=-I../include -I/usr/sfw/include/openssl ./configure --prefix=/usr/local/freeradius --localstatedir=/var/ --sysconfdir=/etc -- I can't say if it's a solution for your prob ... but you can try it. good luck From: Peter Bergmann [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: solaris 8 compilation problem of pam_radius Date: Mon, 5 Dec 2005 11:50:19 +0100 (MET) Hi, I want to use the client function of free-radius, but I've got a problem while compiling the pam_radius-1.3.16 module under solaris 8: Any ideas are welcome!!! Thanks Peter hqwww01tban{root} @: make gcc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o In file included from pam_radius_auth.h:23, from pam_radius_auth.c:63: md5.h:21: error: parse error before u_int32_t md5.h:21: warning: no semicolon at end of struct or union md5.h:22: warning: type defaults to `int' in declaration of `bits' md5.h:22: warning: data definition has no type or storage class md5.h:24: error: parse error before '}' token md5.h:29: error: parse error before buf pam_radius_auth.c: In function `ipstr2long': pam_radius_auth.c:179: warning: subscript has type `char' pam_radius_auth.c: In function `good_ipaddr': pam_radius_auth.c:215: warning: subscript has type `char' pam_radius_auth.c: In function `host2server': pam_radius_auth.c:271: warning: subscript has type `char' pam_radius_auth.c: In function `get_random_vector': pam_radius_auth.c:350: error: storage size of `my_md5' isn't known pam_radius_auth.c:350: warning: unused variable `my_md5' pam_radius_auth.c: In function `get_accounting_vector': pam_radius_auth.c:382: error: storage size of `my_md5' isn't known pam_radius_auth.c:382: warning: unused variable `my_md5' pam_radius_auth.c: In function `verify_packet': pam_radius_auth.c:400: error: storage size of `my_md5' isn't known pam_radius_auth.c:400: warning: unused variable `my_md5' pam_radius_auth.c: In function `add_password': pam_radius_auth.c:497: error: storage size of `md5_secret' isn't known pam_radius_auth.c:497: error: storage size of `my_md5' isn't known pam_radius_auth.c:497: warning: unused variable `md5_secret' pam_radius_auth.c:497: warning: unused variable `my_md5' pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1016: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1019: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1071: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1099: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1113: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1146: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_private_session': pam_radius_auth.c:1267: warning: passing arg 2
RE: solaris 8 compilation problem of pam_radius
hello Reiko, thanks for your help. During the time I saw another hint in the archive: In file md5.h change the line #define uint32 u_int32_t to #define uint32 uint32_t did it :-) Best regards Peter --- Ursprüngliche Nachricht --- Von: Reiko U. [EMAIL PROTECTED] An: freeradius-users@lists.freeradius.org Betreff: RE: solaris 8 compilation problem of pam_radius Datum: Mon, 05 Dec 2005 13:10:59 + hallo peter, i'd compiling-problems with freeradius-1.0.5 on solaris10 (sparc). Following config solved the problem: To getting run freeradius-1.0.5 on Solaris 10 (SPARC) set up the following before compiling (https://list.xs4all.nl/pipermail/freeradius-users/2005-November/048278.html) uname -a: SunOS r220 5.10 Generic sun4u sparc SUNW,Ultra-60 $CC /usr/local/bin/gcc $LD_LIBRARY_PATH /usr/sfw/lib/sparcv9/:/lib/sparcv9/:/usr/sfw/lib/:/lib:/usr/lib:/usr/local/lib:/usr/local/X11/lib:/usr/dt/lib:/usr/openwin/lib/:/usr/local/ssl/lib $PATH /usr/sbin:/usr/bin:/opt/sfw/bin/:/opt/sfw/sbin/:/sbin/:/usr/sbin/:/usr/ccs/bin/:/usr/local/bin:/usr/local/sbin/:/usr/local/ssl/bin/:/usr/local/ssl/misc/:/usr/sfw/bin:/opt/sfw/bin/:/usr/sfw/bin pkginfo | grep gcc utility GNUgcc GNU gcc 3.4.4 SPARC 64bit Solaris 10 (installed in /usr/local) system SUNWgcc gcc - The GNU C compiler system SUNWgccruntime GCC Runtime libraries /usr/local/bin/gcc -v read specs from /usr/local/lib/gcc/sparc64-sun-solaris2.10/3.4.4/specs configured with: /var/tmp/gcc-3.4.4/configure --prefix=/usr/local --host=sparc64-sun-solaris2.10 --enable-threads=posix --with-gxx-include-dir=/usr/local/include/g++ --with-system-zlib --enable-shared --with-ld=/usr/ccs/bin/ld --without-gnu-ld Thread-Modell: posix gcc-Version 3.4.4 ! IMPORTANT: SETTING THE 'CFLAGS' before 'configure' !!! CLFAGS=-I../include -I/usr/sfw/include/openssl ./configure --prefix=/usr/local/freeradius --localstatedir=/var/ --sysconfdir=/etc -- I can't say if it's a solution for your prob ... but you can try it. good luck From: Peter Bergmann [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: solaris 8 compilation problem of pam_radius Date: Mon, 5 Dec 2005 11:50:19 +0100 (MET) Hi, I want to use the client function of free-radius, but I've got a problem while compiling the pam_radius-1.3.16 module under solaris 8: Any ideas are welcome!!! Thanks Peter hqwww01tban{root} @: make gcc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o In file included from pam_radius_auth.h:23, from pam_radius_auth.c:63: md5.h:21: error: parse error before u_int32_t md5.h:21: warning: no semicolon at end of struct or union md5.h:22: warning: type defaults to `int' in declaration of `bits' md5.h:22: warning: data definition has no type or storage class md5.h:24: error: parse error before '}' token md5.h:29: error: parse error before buf pam_radius_auth.c: In function `ipstr2long': pam_radius_auth.c:179: warning: subscript has type `char' pam_radius_auth.c: In function `good_ipaddr': pam_radius_auth.c:215: warning: subscript has type `char' pam_radius_auth.c: In function `host2server': pam_radius_auth.c:271: warning: subscript has type `char' pam_radius_auth.c: In function `get_random_vector': pam_radius_auth.c:350: error: storage size of `my_md5' isn't known pam_radius_auth.c:350: warning: unused variable `my_md5' pam_radius_auth.c: In function `get_accounting_vector': pam_radius_auth.c:382: error: storage size of `my_md5' isn't known pam_radius_auth.c:382: warning: unused variable `my_md5' pam_radius_auth.c: In function `verify_packet': pam_radius_auth.c:400: error: storage size of `my_md5' isn't known pam_radius_auth.c:400: warning: unused variable `my_md5' pam_radius_auth.c: In function `add_password': pam_radius_auth.c:497: error: storage size of `md5_secret' isn't known pam_radius_auth.c:497: error: storage size of `my_md5' isn't known pam_radius_auth.c:497: warning: unused variable `md5_secret' pam_radius_auth.c:497: warning: unused variable `my_md5' pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1016: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1019: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: In function
help regarding pam_radius agent installation with RSA SecurID Authentication
Dear All I am configuring radius_pam agent on redhat linux 9 to integrate it with RSA SecurID Authentication technology.I have enabled radius on my RSA server but while trying to login from my linux client I am not able to enter as it says that access denied.I got a log from the /var/log/messages from the Linux client system like the following... Aug 29 18:00:02 phoebe sshd: pam_radius_auth: RADIUS server 172.16.51.149 failed to respond.Aug 29 18:00:02 phoebe sshd: pam_radius_auth: All RADIUS servers failed to respond. Can anyone please help me out of the situation? I am waiting for your reply / solution. Regards, Rakesh Mukherjee India / CalcuttaSend instant messages to your online friends http://in.messenger.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Solaris 9 and pam_radius 1.3.16
On Fri, 2004-09-03 at 02:41, Chew, Darren wrote: Hi All, I am having trouble compiling pam_radius 1.3.16 on Solaris 9. [EMAIL PROTECTED] # CC=gcc;export CC [EMAIL PROTECTED] # make gcc -Wall -Wshadow -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Waggregate-return -c pam_radius_auth.c -o pam_radius_auth.o In file included from pam_radius_auth.h:23, from pam_radius_auth.c:63: md5.h:21: error: parse error before u_int32_t md5.h:21: warning: no semicolon at end of struct or union md5.h:22: warning: type defaults to `int' in declaration of `bits' md5.h:22: warning: data definition has no type or storage class md5.h:24: error: parse error before '}' token md5.h:29: error: parse error before buf md5.h:29: warning: function declaration isn't a prototype pam_radius_auth.c:151: warning: no previous prototype for '_int_free' pam_radius_auth.c: In function `ipstr2long': pam_radius_auth.c:179: warning: subscript has type `char' pam_radius_auth.c: In function `good_ipaddr': pam_radius_auth.c:215: warning: subscript has type `char' pam_radius_auth.c: In function `host2server': pam_radius_auth.c:271: warning: subscript has type `char' pam_radius_auth.c: In function `get_random_vector': pam_radius_auth.c:350: error: storage size of 'my_md5' isn't known pam_radius_auth.c:350: warning: unused variable `my_md5' pam_radius_auth.c: In function `get_accounting_vector': pam_radius_auth.c:382: error: storage size of 'my_md5' isn't known pam_radius_auth.c:382: warning: unused variable `my_md5' pam_radius_auth.c: In function `verify_packet': pam_radius_auth.c:400: error: storage size of 'my_md5' isn't known pam_radius_auth.c:400: warning: unused variable `my_md5' pam_radius_auth.c: In function `add_password': pam_radius_auth.c:497: error: storage size of 'md5_secret' isn't known pam_radius_auth.c:497: error: storage size of 'my_md5' isn't known pam_radius_auth.c:497: warning: unused variable `md5_secret' pam_radius_auth.c:497: warning: unused variable `my_md5' pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1016: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1019: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1071: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1099: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1113: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1146: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_private_session': pam_radius_auth.c:1267: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1288: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1374: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1395: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1404: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1409: warning: passing arg 3 of `pam_get_item' from incompatible pointer type make: *** [pam_radius_auth.o] Error 1 [EMAIL PROTECTED] # uname -a SunOS testbox1 5.9 Generic_117171-07 sun4u sparc SUNW,UltraAX-i2 [EMAIL PROTECTED] # gcc --version gcc (GCC) 3.4.1 Any help greatly appreciated. Darren Same boat here, but using Fedora Core 2. pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1362: error: `PAM_AUTHTOK_ERR' undeclared (first use in this function) pam_radius_auth.c:1371: error: `argc' undeclared (first use in this function) pam_radius_auth.c:1371: error: `argv' undeclared (first use in this function) pam_radius_auth.c:1374: error: `pamh' undeclared (first use in this function) pam_radius_auth.c:1375: error: `PAM_SUCCESS' undeclared (first use in this function) pam_radius_auth.c:1380: error: `PAM_USER_UNKNOWN' undeclared (first use in this function) pam_radius_auth.c:1395: error: `PAM_SERVICE' undeclared (first use in this function) pam_radius_auth.c:1404: error: `PAM_OLDAUTHTOK' undeclared (first use in this function) pam_radius_auth.c:1409: error: `PAM_AUTHTOK' undeclared (first use in this function) pam_radius_auth.c:1414: error: `flags' undeclared (first use in this function) pam_radius_auth.c:1414: error: `PAM_PRELIM_CHECK' undeclared (first use in this function) pam_radius_auth.c:1416: error: `PAM_PROMPT_ECHO_OFF' undeclared (first use in this function) pam_radius_auth.c:1442: error: `PAM_PERM_DENIED' undeclared (first use in this function) pam_radius_auth.c:1467: error: `PAM_ERROR_MSG' undeclared (first use in this function) pam_radius_auth.c:1519: error
Re: Solaris 9 and pam_radius 1.3.16
On Wed, 2004-09-15 at 12:13, Kaczmarek, Thaddeus wrote: On Fri, 2004-09-03 at 02:41, Chew, Darren wrote: Hi All, I am having trouble compiling pam_radius 1.3.16 on Solaris 9. [EMAIL PROTECTED] # CC=gcc;export CC [EMAIL PROTECTED] # make gcc -Wall -Wshadow -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Waggregate-return -c pam_radius_auth.c -o pam_radius_auth.o In file included from pam_radius_auth.h:23, from pam_radius_auth.c:63: md5.h:21: error: parse error before u_int32_t md5.h:21: warning: no semicolon at end of struct or union md5.h:22: warning: type defaults to `int' in declaration of `bits' md5.h:22: warning: data definition has no type or storage class md5.h:24: error: parse error before '}' token md5.h:29: error: parse error before buf md5.h:29: warning: function declaration isn't a prototype pam_radius_auth.c:151: warning: no previous prototype for '_int_free' pam_radius_auth.c: In function `ipstr2long': pam_radius_auth.c:179: warning: subscript has type `char' pam_radius_auth.c: In function `good_ipaddr': pam_radius_auth.c:215: warning: subscript has type `char' pam_radius_auth.c: In function `host2server': pam_radius_auth.c:271: warning: subscript has type `char' pam_radius_auth.c: In function `get_random_vector': pam_radius_auth.c:350: error: storage size of 'my_md5' isn't known pam_radius_auth.c:350: warning: unused variable `my_md5' pam_radius_auth.c: In function `get_accounting_vector': pam_radius_auth.c:382: error: storage size of 'my_md5' isn't known pam_radius_auth.c:382: warning: unused variable `my_md5' pam_radius_auth.c: In function `verify_packet': pam_radius_auth.c:400: error: storage size of 'my_md5' isn't known pam_radius_auth.c:400: warning: unused variable `my_md5' pam_radius_auth.c: In function `add_password': pam_radius_auth.c:497: error: storage size of 'md5_secret' isn't known pam_radius_auth.c:497: error: storage size of 'my_md5' isn't known pam_radius_auth.c:497: warning: unused variable `md5_secret' pam_radius_auth.c:497: warning: unused variable `my_md5' pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1016: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1019: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1071: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1099: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1113: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1146: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_private_session': pam_radius_auth.c:1267: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1288: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1374: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1395: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1404: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1409: warning: passing arg 3 of `pam_get_item' from incompatible pointer type make: *** [pam_radius_auth.o] Error 1 [EMAIL PROTECTED] # uname -a SunOS testbox1 5.9 Generic_117171-07 sun4u sparc SUNW,UltraAX-i2 [EMAIL PROTECTED] # gcc --version gcc (GCC) 3.4.1 Any help greatly appreciated. Darren Same boat here, but using Fedora Core 2. pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1362: error: `PAM_AUTHTOK_ERR' undeclared (first use in this function) pam_radius_auth.c:1371: error: `argc' undeclared (first use in this function) pam_radius_auth.c:1371: error: `argv' undeclared (first use in this function) pam_radius_auth.c:1374: error: `pamh' undeclared (first use in this function) pam_radius_auth.c:1375: error: `PAM_SUCCESS' undeclared (first use in this function) pam_radius_auth.c:1380: error: `PAM_USER_UNKNOWN' undeclared (first use in this function) pam_radius_auth.c:1395: error: `PAM_SERVICE' undeclared (first use in this function) pam_radius_auth.c:1404: error: `PAM_OLDAUTHTOK' undeclared (first use in this function) pam_radius_auth.c:1409: error: `PAM_AUTHTOK' undeclared (first use in this function) pam_radius_auth.c:1414: error: `flags' undeclared (first use in this function) pam_radius_auth.c:1414: error: `PAM_PRELIM_CHECK' undeclared (first use in this function) pam_radius_auth.c:1416: error: `PAM_PROMPT_ECHO_OFF' undeclared (first use in this function) pam_radius_auth.c:1442: error
Re: Solaris 9 and pam_radius 1.3.16
[ long gcc build errors removed ] The behavior of labels and some other syntax changes happened around gcc 3.4.0. For example, for the rlm_x99_token module, in x99_rlm.c, a ';' is needed after the label at or around line 547. The RedHat source RPM has this patch, I don't know how 'correct' gcc's behavior is but this fixes the compile issues I had with freeradius. The same sorts of changes may be needed for the pam_auth_radius sources. HTH, Craig - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Solaris 9 and pam_radius 1.3.16
Hi All, I am having trouble compiling pam_radius 1.3.16 on Solaris 9. [EMAIL PROTECTED] # CC=gcc;export CC [EMAIL PROTECTED] # make gcc -Wall -Wshadow -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Waggregate-return -c pam_radius_auth.c -o pam_radius_auth.o In file included from pam_radius_auth.h:23, from pam_radius_auth.c:63: md5.h:21: error: parse error before u_int32_t md5.h:21: warning: no semicolon at end of struct or union md5.h:22: warning: type defaults to `int' in declaration of `bits' md5.h:22: warning: data definition has no type or storage class md5.h:24: error: parse error before '}' token md5.h:29: error: parse error before buf md5.h:29: warning: function declaration isn't a prototype pam_radius_auth.c:151: warning: no previous prototype for '_int_free' pam_radius_auth.c: In function `ipstr2long': pam_radius_auth.c:179: warning: subscript has type `char' pam_radius_auth.c: In function `good_ipaddr': pam_radius_auth.c:215: warning: subscript has type `char' pam_radius_auth.c: In function `host2server': pam_radius_auth.c:271: warning: subscript has type `char' pam_radius_auth.c: In function `get_random_vector': pam_radius_auth.c:350: error: storage size of 'my_md5' isn't known pam_radius_auth.c:350: warning: unused variable `my_md5' pam_radius_auth.c: In function `get_accounting_vector': pam_radius_auth.c:382: error: storage size of 'my_md5' isn't known pam_radius_auth.c:382: warning: unused variable `my_md5' pam_radius_auth.c: In function `verify_packet': pam_radius_auth.c:400: error: storage size of 'my_md5' isn't known pam_radius_auth.c:400: warning: unused variable `my_md5' pam_radius_auth.c: In function `add_password': pam_radius_auth.c:497: error: storage size of 'md5_secret' isn't known pam_radius_auth.c:497: error: storage size of 'my_md5' isn't known pam_radius_auth.c:497: warning: unused variable `md5_secret' pam_radius_auth.c:497: warning: unused variable `my_md5' pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1016: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1019: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1071: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1099: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1113: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1146: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_private_session': pam_radius_auth.c:1267: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1288: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1374: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1395: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1404: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1409: warning: passing arg 3 of `pam_get_item' from incompatible pointer type make: *** [pam_radius_auth.o] Error 1 [EMAIL PROTECTED] # uname -a SunOS testbox1 5.9 Generic_117171-07 sun4u sparc SUNW,UltraAX-i2 [EMAIL PROTECTED] # gcc --version gcc (GCC) 3.4.1 Any help greatly appreciated. Darren - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius option
Mordechai T. Abzug wrote: On Tue, Jun 08, 2004 at 09:20:36AM -0400, Asif Iqbal wrote: Hi All I am using pam_radius in Solaris 8 to allow my users login with their radius accounts. However I would like *only* the root account to be able to login with local unix account. Well, what is radius authenticating against? You should be able to allow root to authenticate against system in your users file. - Morty I have the radius client, Solaris 8, setup like this on /etc/pam.conf login auth required /usr/lib/security/pam_radius_auth.so.1 sshd auth required /usr/lib/security/pam_radius_auth.so.1 So when user logs in, he/she gets authenticated against the remote radius server which is declared in my /etc/raddb/server file However, when root tries to login it fails since I don't have (and I dont want to) a radius account for my root Now how do I make sure my users are not allowed to login with local systems account but just radius account (on remote server) while only root can login with local account? Sorry for such a long question. Thanks for your help -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu There's no place like 127.0.0.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius option
On Thu, Jun 10, 2004 at 02:12:52AM -0400, Asif Iqbal wrote: I have the radius client, Solaris 8, setup like this on /etc/pam.conf login auth required /usr/lib/security/pam_radius_auth.so.1 sshd auth required /usr/lib/security/pam_radius_auth.so.1 So when user logs in, he/she gets authenticated against the remote radius server which is declared in my /etc/raddb/server file However, when root tries to login it fails since I don't have (and I dont want to) a radius account for my root Now how do I make sure my users are not allowed to login with local systems account but just radius account (on remote server) while only root can login with local account? Make pam_unix sufficient. Make sure your users cannot set their passwords; say, chmod u-s /bin/passwd. Make sure that no users have passwords set except root. - Morty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius option
Asif Iqbal [EMAIL PROTECTED] wrote: Can you please help? I am really looking for a solution/tip to allow root skip the radius authentication while force other users to go through this auth It's a PAM question, and has nothing to do with RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius option
Alan DeKok wrote: Asif Iqbal [EMAIL PROTECTED] wrote: Can you please help? I am really looking for a solution/tip to allow root skip the radius authentication while force other users to go through this auth It's a PAM question, and has nothing to do with RADIUS. Alan DeKok. Hi Alan Is there a mailing list that discusses about pam_radius? There was one suggestion I got to try but that did not help Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu There's no place like 127.0.0.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius option
Asif Iqbal [EMAIL PROTECTED] wrote: Is there a mailing list that discusses about pam_radius? This list. But your question was how to get PAM to NOT call pam_radius. That question has nothing to do with pam_radius, and nothing to do with RADIUS. It's a simple PAM question. The question belonged on a PAM list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius option
Asif Iqbal wrote: Asif Iqbal wrote: Hi All I am using pam_radius in Solaris 8 to allow my users login with their radius accounts. However I would like *only* the root account to be able to login with local unix account. Is that possible? Any help/direction would be greatly appreciated. I tried to use this sshd auth required /usr/lib/security/pam_radius_auth.so.1 user=root passwd=password But that did not help I am still waiting for some tips. Anyone else had similar concerns? I am trying to use telnet (not sshd) and skip auth for user root Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu There's no place like 127.0.0.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius option
On Tue, Jun 08, 2004 at 09:20:36AM -0400, Asif Iqbal wrote: Hi All I am using pam_radius in Solaris 8 to allow my users login with their radius accounts. However I would like *only* the root account to be able to login with local unix account. Well, what is radius authenticating against? You should be able to allow root to authenticate against system in your users file. - Morty - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius option
Hi All I am using pam_radius in Solaris 8 to allow my users login with their radius accounts. However I would like *only* the root account to be able to login with local unix account. Is that possible? Any help/direction would be greatly appreciated. Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu There's no place like 127.0.0.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius option
Asif Iqbal wrote: Hi All I am using pam_radius in Solaris 8 to allow my users login with their radius accounts. However I would like *only* the root account to be able to login with local unix account. Is that possible? Any help/direction would be greatly appreciated. I tried to use this sshd auth required /usr/lib/security/pam_radius_auth.so.1 user=root passwd=password But that did not help Thanks -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu There's no place like 127.0.0.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu There's no place like 127.0.0.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam_radius, AIX 5.1 and OpenSSH
Title: Pam_radius, AIX 5.1 and OpenSSH Good day to all: I want use pam_radius PAM client 1.3.16 on AIX 5.1 to work with the OpenSSH. I have compiled the OpenSSH 3.8.1p1 with PAM support. But I am not able to compile pam_radius module. Here is the web page where I download the pam_radius client: http://www.freeradius.org/pam_radius_auth/ Has anyone done it ? Any help is appreciated. I got this when I make on original source codes: cc1: warning: -fPIC ignored for AIX (all code is position independent) pam_radius_auth.c: In function `talk_radius': pam_radius_auth.c:880: warning: passing arg 6 of `nrecvfrom' from incompatible pointer type pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1016: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1019: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: At top level: pam_radius_auth.c:1050: syntax error before `int' pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1071: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1099: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1113: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1146: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: At top level: pam_radius_auth.c:1235: syntax error before `int' pam_radius_auth.c: In function `pam_sm_setcred': pam_radius_auth.c:1242: warning: passing arg 3 of `pam_get_data' from incompatible pointer type pam_radius_auth.c: In function `pam_private_session': pam_radius_auth.c:1267: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1288: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: At top level: pam_radius_auth.c:1336: syntax error before `int' pam_radius_auth.c:1343: syntax error before `int' pam_radius_auth.c:1354: syntax error before `int' pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1374: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1395: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1404: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1409: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: At top level: pam_radius_auth.c:1583: syntax error before `int' make: 1254-004 The error code from the last command is 1. I am using the make and gcc from IBM Linix Tool box for AIX 5L: http://www-1.ibm.com/servers/aix/products/aixos/linux/download.html. I also tried the gcc 3.0.1.0 with same error Notice that I am able to modify the source code to compile with no error, and the Radius client is connecting to my Radius server. But the Radius server does not recognize the password I sent to it via this freeradius pam client. I am not sure if there is any data type mismatch, or incompatible parameters in the PAM function call. Any help is very appreciated. Thanks Eric
RE: pam_radius-1.3.16
I am trying to compile the PAM module pam_radius-1.3.16 on a Solaris 8 system using GCC version 2.95.3 20010315 (release) and gmake version 3.79.1. I am getting the following errors from gmake and have little to no clue as to how to resolve them. Any help in either getting this to compile correctly or in locating a binary Radius_PAM module for Solaris would be greatly appreciated. Output from gmake: # gmake cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o In file included from pam_radius_auth.h:23, from pam_radius_auth.c:63: md5.h:21: parse error before `u_int32_t' md5.h:21: warning: no semicolon at end of struct or union md5.h:22: warning: type defaults to `int' in declaration of `bits' md5.h:22: warning: data definition has no type or storage class md5.h:24: parse error before `}' md5.h:29: parse error before `buf' pam_radius_auth.c: In function `ipstr2long': pam_radius_auth.c:179: warning: subscript has type `char' pam_radius_auth.c: In function `good_ipaddr': pam_radius_auth.c:215: warning: subscript has type `char' pam_radius_auth.c: In function `host2server': pam_radius_auth.c:271: warning: subscript has type `char' pam_radius_auth.c: In function `get_random_vector': pam_radius_auth.c:350: storage size of `my_md5' isn't known pam_radius_auth.c:350: warning: unused variable `my_md5' pam_radius_auth.c: In function `get_accounting_vector': pam_radius_auth.c:382: storage size of `my_md5' isn't known pam_radius_auth.c:382: warning: unused variable `my_md5' pam_radius_auth.c: In function `verify_packet': pam_radius_auth.c:400: storage size of `my_md5' isn't known pam_radius_auth.c:400: warning: unused variable `my_md5' pam_radius_auth.c: In function `add_password': pam_radius_auth.c:497: storage size of `md5_secret' isn't known pam_radius_auth.c:497: storage size of `my_md5' isn't known pam_radius_auth.c:497: warning: unused variable `my_md5' pam_radius_auth.c:497: warning: unused variable `md5_secret' pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1016: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1019: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1071: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1099: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1113: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1146: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_private_session': pam_radius_auth.c:1267: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1288: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1374: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1395: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1404: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1409: warning: passing arg 3 of `pam_get_item' from incompatible pointer type gmake: *** [pam_radius_auth.o] Error 1 # Steve VanWambeck - SMTT TDG Platform Development Desk 425-580-7865 Wireless 425-301-1416 [EMAIL PROTECTED] If you see a turtle sitting on a fencepost, you know he had some help. . . õ¿õ ~ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam_radius strange failure
Hi all, I'm trying to make pam_radius work and I get some weird errors: Feb 23 15:11:15 tartuf login[254]: PAM unable to resolve symbol: pam_sm_acct_mgmt Feb 23 15:11:15 tartuf login[254]: pam_radius_auth: Got user name test Feb 23 15:11:16 tartuf login[254]: pam_radius_auth: Sending RADIUS request code 1 Feb 23 15:11:17 tartuf login[254]: pam_radius_auth: Got RADIUS response code 2 Feb 23 15:11:17 tartuf login[254]: pam_radius_auth: authentication succeeded Feb 23 15:11:17 tartuf login[254]: Authentication service cannot retrieve authentication info. the user 'test' is well made in freeradius and work prefectly for others types of authentication. As described into INSTALL and USAGE files of pam_radius module, i've setup this configuration file: /etc/pam.d/login auth requisite pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so debug conf=/etc/pam_radius_auth.conf account sufficient /lib/security/pam_radius_auth.so auth required pam_unix.so nullok accountrequired pam_unix.so sessionrequired pam_unix.so I should precese that i've removed /etc/shadow entry for this user to *really* test pam_radius auth. For root user, it seems ot work better because pam fall into pam_unix auth , probably because of pam_radius same failure: Feb 23 15:12:48 tartuf login[297]: PAM unable to resolve symbol: pam_sm_acct_mgmt Feb 23 15:12:48 tartuf login[297]: pam_radius_auth: Got user name root Feb 23 15:12:51 tartuf login[297]: pam_radius_auth: Sending RADIUS request code 1 Feb 23 15:12:51 tartuf login[297]: pam_radius_auth: Got RADIUS response code 2 Feb 23 15:12:51 tartuf login[297]: pam_radius_auth: authentication succeeded Feb 23 15:12:51 tartuf PAM_unix[297]: (login) session opened for user root by LOGIN(uid=0) Feb 23 15:12:51 tartuf login[297]: ROOT LOGIN on `tty1' Any ideas? Regards, Didier - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html