Re: PAM-Radius authentication issue on Ubuntu 7.4: can not authenticate SSH users not present in /etc/passwd
Hu, Fengliang (Procurve Networking) wrote: > I did some research from the website and some emails dated in 2006 said > that PAM_Radius can only authenticate user accounts in /etc/passwd file. > Is that right? Yes. There is no documented way in PAM to get UID/GID/etc from the PAM module (e.g. pam_radius), back up to PAM. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM-Radius authentication issue on Ubuntu 7.4: can not authenticate SSH users not present in /etc/passwd
Hi, I was trying to find a PAM-Radius mailing list and it seems that this is the best one. A Ubuntu 7.4 box needs to be configured such that SSH users will be authenticated against an external FreeRadius server. FreeRadius server version is 1.1.7-1build4. The Ubuntu box uses OpenSSH 4.3-p2 and /etc/ssh/sshd_config is set to "UsePAM yes". I downloaded PAM_Radius 1.3.17. Below is the procedure that I use Radius to authenticate a user in /etc/passwd (/etc/shadow doesn't have the password for that user). 1. FreeRadius server configures its clients.conf and user file to include a new user called "test1". 2. On my Ubuntu 7.4 box, add a user with command "useradd" to add a user "test1" but don't set a password. So the user "test1" on the Ubuntu box will be inactive. 3. Configure /etc/pam.d/ssh on the Ubuntu box to use "auth sufficient pam_radius_auth.so" 4. Also update the /etc/raddb/server on the Ubuntu box to point to the remote Radius server IP. 5. Try ssh te...@ubuntu box and it worked. Also monitored the Free Radius logging and it did show that the Access-Request packets went to Radius server. So step 1-5 worked well for me. Note that at step 2, the user account to be authenticated is added to /etc/passwd. The issue is: if step 2 is omitted, SSH login will fail. ACCESS_REQUEST packets with INCORRECT password were even sent to the Radius server. Further troubleshooting showed that PAM_Radius module got a bad password from PAM. I did some research from the website and some emails dated in 2006 said that PAM_Radius can only authenticate user accounts in /etc/passwd file. Is that right? Many thanks in advance, Feng - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: > If I use LDAP to authenticate with PAM and freeradius authenticates against > LDAP as well am I able to still store session details with LDAP? I believe so, yes. > I am trying to integrate my current hotspot database with my terminals so > that users can authenticate on either using the same username and password. > It is a ticket based system and they have a limited amount of time, this > works fine on both systems with freeradius (mysql backend) but it is a pain > to continually have to add users to /etc/passwd. This can all be administered > througha set of PHP scripts. That's why databases were invented. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Ok, I have some more questions. > > It sounds like a database might be a better choice. pam_ldap, in > conjunction with nss_ldap should solve the problem. > If I use LDAP to authenticate with PAM and freeradius authenticates against LDAP as well am I able to still store session details with LDAP? I am trying to integrate my current hotspot database with my terminals so that users can authenticate on either using the same username and password. It is a ticket based system and they have a limited amount of time, this works fine on both systems with freeradius (mysql backend) but it is a pain to continually have to add users to /etc/passwd. This can all be administered througha set of PHP scripts. Thanks, Daniel Davis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Hi can u tell me how run radius with pam? thanks On 4/19/07, daniel <[EMAIL PROTECTED]> wrote: Ok, I have gotten pam_radius_auth.so to work and it is working well, however, is there any way to get it to create a UID when it receives an auth accept? At the moment I have to run adduser every time I want a user to be able to log in, this would be ok if the users were fairly static, I could run a script every night to add new users to the system, unfortunately I have a lot of users and they need to be available immediately. Thanks for all your help so far. -Daniel Davis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Reza Behroozi http://reza.behroozi.info http://www.persianadmins.ir http://www.persianadmins.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: > Ok, I have gotten pam_radius_auth.so to work and it is working well, however, > is > there any way to get it to create a UID when it receives an auth accept? Not at the moment. It's not clear how to do that in PAM. > At the moment I have to run adduser every time I want a user to be able to > log in, this would be ok if the users were fairly static, I could run a > script every night to add new users to the system, unfortunately I have a lot > of users and they need to be available immediately. It sounds like a database might be a better choice. pam_ldap, in conjunction with nss_ldap should solve the problem. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Ok, I have gotten pam_radius_auth.so to work and it is working well, however, is there any way to get it to create a UID when it receives an auth accept? At the moment I have to run adduser every time I want a user to be able to log in, this would be ok if the users were fairly static, I could run a script every night to add new users to the system, unfortunately I have a lot of users and they need to be available immediately. Thanks for all your help so far. -Daniel Davis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: > Has anyone had any luck compiling pam_radius_auth on ubuntu? $ apt-get install libpam0g-dev $ cd pam_radius $ make > Does the pam module support accounting packets (ie. send accounting packet to > radius when user logs on?) Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Has anyone had any luck compiling pam_radius_auth on ubuntu? On Mon, 16 Apr 2007 15:13:49 +0200, Alan DeKok <[EMAIL PROTECTED]> wrote: > daniel wrote: >> I am trying to set up unix authentication using radius. >> Does the pam module support the maximum session times. > > No, because PAM has no provisions for enforcing maximum session times. This is ok, I can write a script that runs every minute that just logs the user off based on the results of an sql query of the radius database. Does the pam module support accounting packets (ie. send accounting packet to radius when user logs on?) > > The setrlimit function call can enforce CPU time restrictions, but > that is *not* clock time. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: > I am trying to set up unix authentication using radius. > Does the pam module support the maximum session times. No, because PAM has no provisions for enforcing maximum session times. The setrlimit function call can enforce CPU time restrictions, but that is *not* clock time. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Alan, I am trying to set up unix authentication using radius. Does the pam module support the maximum session times. I am trying to set up a system where linux users authenticate against my existing radius hotspot system and they are forced to log out when their session expires. Regards, Daniel Davis On Mon, 16 Apr 2007 11:15:59 +0200, Alan DeKok <[EMAIL PROTECTED]> wrote: > daniel wrote: >> Apr 15 22:03:51 bill sshd[7861]: PAM unable to >> dlopen(/lib/security/pam_radius_auth.so) >> Apr 15 22:03:51 bill sshd[7861]: PAM [dlerror: >> /lib/security/pam_radius_auth.so: undefined symbol: > __stack_chk_fail_local] > > You've built the module with stack overflow checking turned on, and > haven't linked it (or SSH) to the necessary library. > > How to fix this depends on your local system. > >> Apr 15 22:03:51 bill sshd[7861]: PAM adding faulty module: >> /lib/security/pam_radius_auth.so >> >> I am running pam_radius_auth 1.3.16 and freeradius 1.1.6 on Ubuntu 6.10 >> >> The pam_radius_auth module seems to be quite old, does anyone know if it >> still works? > > A new release should be out shortly. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Alan, I dont know if someone could help me, i got FR working and authenticating in my AD. Here in my core switch a (Cisco 4507R) i have around 7 vlans, i was wondering if someone could explain to me how could i use FR and my switch to use a different vlan based in the user, and if is a guest user to send to a guest vlan Since now my thanks Robinson Santos Network Administrator Fundação Joao Paulo II www.cancaonova.com São Paulo, Brasil On 4/16/07, Alan DeKok <[EMAIL PROTECTED]> wrote: daniel wrote: > Thankyou, how do I build the module with stack overflow checking > turned off, also what library do I need to link it to? I have no idea. Stack checking is part of your local system, not part of the module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: > Thankyou, how do I build the module with stack overflow checking > turned off, also what library do I need to link it to? I have no idea. Stack checking is part of your local system, not part of the module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
Alan, Thankyou, how do I build the module with stack overflow checking turned off, also what library do I need to link it to? Regards, Daniel Davis On Mon, 16 Apr 2007 11:15:59 +0200, Alan DeKok <[EMAIL PROTECTED]> wrote: > daniel wrote: >> Apr 15 22:03:51 bill sshd[7861]: PAM unable to >> dlopen(/lib/security/pam_radius_auth.so) >> Apr 15 22:03:51 bill sshd[7861]: PAM [dlerror: >> /lib/security/pam_radius_auth.so: undefined symbol: > __stack_chk_fail_local] > > You've built the module with stack overflow checking turned on, and > haven't linked it (or SSH) to the necessary library. > > How to fix this depends on your local system. > >> Apr 15 22:03:51 bill sshd[7861]: PAM adding faulty module: >> /lib/security/pam_radius_auth.so >> >> I am running pam_radius_auth 1.3.16 and freeradius 1.1.6 on Ubuntu 6.10 >> >> The pam_radius_auth module seems to be quite old, does anyone know if it >> still works? > > A new release should be out shortly. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM Radius Authentication
daniel wrote: > Apr 15 22:03:51 bill sshd[7861]: PAM unable to > dlopen(/lib/security/pam_radius_auth.so) > Apr 15 22:03:51 bill sshd[7861]: PAM [dlerror: > /lib/security/pam_radius_auth.so: undefined symbol: __stack_chk_fail_local] You've built the module with stack overflow checking turned on, and haven't linked it (or SSH) to the necessary library. How to fix this depends on your local system. > Apr 15 22:03:51 bill sshd[7861]: PAM adding faulty module: > /lib/security/pam_radius_auth.so > > I am running pam_radius_auth 1.3.16 and freeradius 1.1.6 on Ubuntu 6.10 > > The pam_radius_auth module seems to be quite old, does anyone know if it > still works? A new release should be out shortly. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM Radius Authentication
Hi, I have been trying to set up the pam_radius_auth pam module to authenticate my users through my freeradius server. The radius server is working fine as I can get and Access-Accept packet with radtest and also my wireless hotspot authenticates fine through it. The problem I have is that pam seems to be having a problem loading the module. The auth.log shows the following: Apr 15 22:03:51 bill sshd[7861]: PAM unable to dlopen(/lib/security/pam_radius_auth.so) Apr 15 22:03:51 bill sshd[7861]: PAM [dlerror: /lib/security/pam_radius_auth.so: undefined symbol: __stack_chk_fail_local] Apr 15 22:03:51 bill sshd[7861]: PAM adding faulty module: /lib/security/pam_radius_auth.so I am running pam_radius_auth 1.3.16 and freeradius 1.1.6 on Ubuntu 6.10 The pam_radius_auth module seems to be quite old, does anyone know if it still works? Regards, Daniel Davis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Isn't there anyone who tried this implementation? > >Hi! >if you are reffering to this line: >"account required pam_radius_auth.so debug" >than here is the explanation: > "The pam configuration can be: >... >auth sufficient /lib/security/pam_radius_auth.so [options] >... >accountsufficient /lib/security/pam_radius_auth.so" > (this is taken from http://www.freeradius.org/pam_radius_auth/USAGE) > >On the other hand, I don't care if I don't use this module for accounting. As >a matter of fact, I tried in many configurations, even without using it for >accounting. >The main concern is to succed in authetincating the users!!! if anyone can >help me accomplish that, I would be happy and I will not mind about >accounting... > > > > >> >>Hi, >> >>> I don't understand why you are saying that "you are invoking >>> pam_radius_auth in the wrong place and for the wrong reason"...please, be >>> more specific and if you know the right configuration, enlight me! >>> >>> >> >#%PAM-1.0 >>> >> >auth required pam_securetty.so >>> >> >auth sufficient pam_radius_auth.so debug >>> >> >auth required /lib/security/pam_unix_auth.so >>> >> >accountrequired pam_radius_auth.so debug >> >> >>explain >> >>alan >>- >>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Hi! if you are reffering to this line: "account required pam_radius_auth.so debug" than here is the explanation: "The pam configuration can be: ... auth sufficient /lib/security/pam_radius_auth.so [options] ... accountsufficient /lib/security/pam_radius_auth.so" (this is taken from http://www.freeradius.org/pam_radius_auth/USAGE) On the other hand, I don't care if I don't use this module for accounting. As a matter of fact, I tried in many configurations, even without using it for accounting. The main concern is to succed in authetincating the users!!! if anyone can help me accomplish that, I would be happy and I will not mind about accounting... > >Hi, > >> I don't understand why you are saying that "you are invoking pam_radius_auth >> in the wrong place and for the wrong reason"...please, be more specific and >> if you know the right configuration, enlight me! >> >> >> >#%PAM-1.0 >> >> >auth required pam_securetty.so >> >> >auth sufficient pam_radius_auth.so debug >> >> >auth required /lib/security/pam_unix_auth.so >> >> >accountrequired pam_radius_auth.so debug > > >explain > >alan >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Hi, > I don't understand why you are saying that "you are invoking pam_radius_auth > in the wrong place and for the wrong reason"...please, be more specific and > if you know the right configuration, enlight me! > > >> >#%PAM-1.0 > >> >auth required pam_securetty.so > >> >auth sufficient pam_radius_auth.so debug > >> >auth required /lib/security/pam_unix_auth.so > >> >accountrequired pam_radius_auth.so debug explain alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
First of all, thank you for your reply. Until now, you are the only one. Now, let's take it step by step: This is a part of INSTALL: ** Redhat Linux > 5.0 ** make. Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so In the per-application configuration (/etc/pam.d/application) add: auth sufficient /lib/security/pam_radius_auth.so AFTER auth required /lib/security/pam_securetty.so and BEFORE auth required /lib/security/pam_unix_auth.so i.e. auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so auth required /lib/security/pam_unix_auth.so My linux is RedHat 9, so this part pertains to my machine : "Redhat Linux > 5.0" "make. Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so" - already did... "In the per-application configuration (/etc/pam.d/application) add:" - I want to use pam radius to authenticate ssh logins, so "(/etc/pam.d/application)" becomes "/etc/pam.d/sshd" "auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so" -this part from INSTALL is identical to my /etc/pam.d/sshd...all of this modules deal with authentication ("auth"). pam_securetty verifies if root can login through tty by reading /etc/securetty. "required" means that this step is mandatory and that after this verification, the next authentication method will take place. this is where pam_radius_auth comes. the messages are exchanged as explained in my my previuos e-mail. "sufficient" means that if this authentication succeeds, the following authentication methods will not be checked...in other terms: "auth required /lib/security/pam_unix_auth.so" will be passed. I don't understand why you are saying that "you are invoking pam_radius_auth in the wrong place and for the wrong reason"...please, be more specific and if you know the right configuration, enlight me! Again, any help would be appreciated! > >Hi, > >> anyone??? pls!!! no suggestions at all ? :( > >I'd read the INSTALL doc that coems as part of the pam_radius >tool. > >> > - cat /etc/pam.d/sshd >> >#%PAM-1.0 >> >auth required pam_securetty.so >> >auth sufficient pam_radius_auth.so debug >> >auth required /lib/security/pam_unix_auth.so >> >accountrequired pam_radius_auth.so debug >> >password required pam_stack.so service=system-auth >> >sessionrequired pam_stack.so service=system-auth >> >sessionrequired pam_limits.so >> >sessionoptional pam_console.so > >no. your invoking pam_radius_auth in the wrong place and for the wrong reason. >again the INSTALL is your friend. > > >your radius configuration appears to be correct > >alan >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Hi, > anyone??? pls!!! no suggestions at all ? :( I'd read the INSTALL doc that coems as part of the pam_radius tool. > > - cat /etc/pam.d/sshd > >#%PAM-1.0 > >auth required pam_securetty.so > >auth sufficient pam_radius_auth.so debug > >auth required /lib/security/pam_unix_auth.so > >accountrequired pam_radius_auth.so debug > >password required pam_stack.so service=system-auth > >sessionrequired pam_stack.so service=system-auth > >sessionrequired pam_limits.so > >sessionoptional pam_console.so no. your invoking pam_radius_auth in the wrong place and for the wrong reason. again the INSTALL is your friend. your radius configuration appears to be correct alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
anyone??? pls!!! no suggestions at all ? :( Pe 12 Oct 2006, la 12:46, [EMAIL PROTECTED] a scris: > >Hello! > >I try to authenticate ssh users logins using pam_radius_auth.so. >On my RedHat 9 I have the following setup: >- freeradius server > - users file: >testAuth-Type := Local, User-Password == "test" > > - clients.conf >client 127.0.0.1 { > secret = secret > shortname = localhost >} > >-pam radius module > - cat /etc/pam.d/sshd >#%PAM-1.0 >auth required pam_securetty.so >auth sufficient pam_radius_auth.so debug >auth required /lib/security/pam_unix_auth.so >accountrequired pam_radius_auth.so debug >password required pam_stack.so service=system-auth >sessionrequired pam_stack.so service=system-auth >sessionrequired pam_limits.so >sessionoptional pam_console.so >-cat /etc/raddb/server > 127.0.0.1 secret 1 > > >- pam_radius_auth.so is copied in /lib/security >-I created linux user test with home directory /home/test , without setting up >a password >- freeradius started with radiusd -X > >Problem is that, when I trie to connect to this machine using ssh, the radius >server receives the request, processes it, sends access-accept, but the ssh >session is ended, without the user being really logged in !!! I don't know the >reason why the user gets rejected... > >tail -f /var/log/secure >Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: DEBUG: >getservbyname(radius, udp) returned 1108551052. >Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: Got RADIUS response >code 2 >Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: authentication succeeded >Oct 12 11:06:27 D-Server sshd[26585]: Accepted password for test from >10.243.30.42 port 2847 ssh2 >Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got user name test >Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Sending RADIUS request >code 1 >Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: DEBUG: >getservbyname(radius, udp) returned 1108551052. >Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got RADIUS response >code 2 >Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: authentication succeeded >Oct 12 11:28:30 D-Server sshd[26590]: Accepted password for test from >10.243.30.42 port 2881 ssh2 > >from radiusd -X : >rad_recv: Access-Request packet from host 127.0.0.1:27615, id=253, length=97 >User-Name = "test" >User-Password = "test" >NAS-IP-Address = 127.0.0.1 >NAS-Identifier = "sshd" >NAS-Port = 26590 >NAS-Port-Type = Virtual >Service-Type = Authenticate-Only >Calling-Station-Id = "512wyse83.cosmote.rom" > Processing the authorize section of radiusd.conf >modcall: entering group authorize for request 0 > modcall[authorize]: module "preprocess" returns ok for request 0 > modcall[authorize]: module "chap" returns noop for request 0 > modcall[authorize]: module "mschap" returns noop for request 0 >rlm_realm: No '@' in User-Name = "test", looking up realm NULL >rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 0 > rlm_eap: No EAP-Message, not doing EAP > modcall[authorize]: module "eap" returns noop for request 0 >users: Matched entry test at line 80 > modcall[authorize]: module "files" returns ok for request 0 >modcall: leaving group authorize (returns ok) for request 0 > rad_check_password: Found Auth-Type Local >auth: type Local >auth: user supplied User-Password matches local User-Password >Sending Access-Accept of id 253 to 127.0.0.1 port 27615 >Finished request 0 > >thank you! > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam radius authentication
Hello! I try to authenticate ssh users logins using pam_radius_auth.so. On my RedHat 9 I have the following setup: - freeradius server - users file: testAuth-Type := Local, User-Password == "test" - clients.conf client 127.0.0.1 { secret = secret shortname = localhost } -pam radius module - cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so -cat /etc/raddb/server 127.0.0.1 secret 1 - pam_radius_auth.so is copied in /lib/security -I created linux user test with home directory /home/test , without setting up a password - freeradius started with radiusd -X Problem is that, when I trie to connect to this machine using ssh, the radius server receives the request, processes it, sends access-accept, but the ssh session is ended, without the user being really logged in !!! I don't know the reason why the user gets rejected... tail -f /var/log/secure Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1108551052. Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: Got RADIUS response code 2 Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: authentication succeeded Oct 12 11:06:27 D-Server sshd[26585]: Accepted password for test from 10.243.30.42 port 2847 ssh2 Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got user name test Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Sending RADIUS request code 1 Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1108551052. Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got RADIUS response code 2 Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: authentication succeeded Oct 12 11:28:30 D-Server sshd[26590]: Accepted password for test from 10.243.30.42 port 2881 ssh2 from radiusd -X : rad_recv: Access-Request packet from host 127.0.0.1:27615, id=253, length=97 User-Name = "test" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Identifier = "sshd" NAS-Port = 26590 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = "512wyse83.cosmote.rom" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 users: Matched entry test at line 80 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 253 to 127.0.0.1 port 27615 Finished request 0 thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM radius authentication module for redhat8/9/fedora
Hello. I'm zadad. I read about freeRADIUS. I'ved install and try to configure for the server and the client. Is it true from what I understand that, we can use linux based PC as the radius client (for a sample network that i would like to try) when enabling PAM module for radius authentication in the linux? Is there any latest version of PAM module for redhat or fedora? Can anyone show me how or where can I find the way to configure the server and the client step by step (sorry, coz I'm confused when reading the manual) if there's any. Thank you for your help. __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html