Alan,
I have setup freeradius on another server (actually it was still setup from
our previous testing).
(Firewalling will prevent anyone from actually trying to SSH/Telnet to this
box, or sending radius requests so dont bother)
The box is debian 2.2 (potato) with several packages pulled from woody
(radiusd-freeradius, ssh, samba) and running md5 shadow passwords.
The entry for the test account in /etc/passwd:
************************
radtest:x:1003:1003:,,,:/home/radtest:/bin/bash
************************
And /etc/shadow
************************
radtest:$1$9UsnjPML$UCZ8veUC69VSXT4hp26Hz1:11737:0:99999:7:::
************************
Here is the shadow section of the config file
************************
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
passwd = /etc/passwd
shadow = /etc/shadow
group = /etc/group
***************************
This is the output of the radtest program, as you can see, I changed the
password midway to ensure that is really is "radpass"
**********************
sat:/home/andrewt# radtest radtest radpass 127.0.0.1 1 testing123 3
Sending Access-Request of id 93 to 127.0.0.1:1812
User-Name = "radtest"
Password = "5\326MNw\351>\331lW+\243J\251\200\271"
NAS-IP-Address = sat
NAS-Port-Id = "1"
Framed-Protocol = PPP
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=93, length=20
sat:/home/andrewt# passwd radtest
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
sat:/home/andrewt# radtest radtest radpass 127.0.0.1 1 testing123 3
Sending Access-Request of id 98 to 127.0.0.1:1812
User-Name = "radtest"
Password = "\025\245\306D\220&f\016\245\247\213\366\002\352GA"
NAS-IP-Address = sat
NAS-Port-Id = "1"
Framed-Protocol = PPP
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=98, length=20
sat:/home/andrewt#
**********************
And here is radiusd -X, running as root.
*****************
sat:/etc/raddb# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: //etc/raddb/clients.conf
Config: including file: //etc/raddb/snmp.conf
Config: including file: //etc/raddb/sql.conf
main: prefix = "/"
main: localstatedir = "//var"
main: logdir = "/var/log/radiusd-freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radiusd-freeradius/radacct"
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_auth = no
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "//var/run/radiusd/radiusd.pid"
main: user = "root"
main: group = "root"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: proxy_requests = yes
main: debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded System
unix: cache = no
unix: passwd = "/etc/passwd"
unix: shadow = "/etc/shadow"
unix: group = "/etc/group"
unix: radwtmp = "/var/log/radiusd-freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = "//etc/raddb/huntgroups"
preprocess: hints = "//etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "//etc/raddb/users"
files: acctusersfile = "//etc/raddb/acct_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile =
"/var/log/radiusd-freeradius/radacct/%{Client-IP-Address}/detail"
detail: detailperm = 384
detail: dirperm = 493
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radiusd-freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
main: smux_password = ""
main: snmp_write_access = no
SMUX connect try 1
Can't connect to SNMP agent with SMUX: Connection refused
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:1026, id=93, length=62
User-Name = "radtest"
Password = "5\326MNw\351>\331lW+\243J\251\200\271"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "1"
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "suffix" returns ok
users: Matched DEFAULT at 144
users: Matched DEFAULT at 163
users: Matched DEFAULT at 175
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
rlm_unix: [radtest]: invalid password
modcall[authenticate]: module "unix" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
Sending Access-Reject of id 93 to 127.0.0.1:1026
Finished request 0
Going to the next request
SMUX connect try 2
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Waking up in 6 seconds...
SMUX connect try 3
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Cleaning up request 0 ID 93 with timestamp 3c72e08c
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 127.0.0.1:1026, id=98, length=62
User-Name = "radtest"
Password = "\025\245\306D\220&f\016\245\247\213\366\002\352GA"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "1"
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "suffix" returns ok
users: Matched DEFAULT at 144
users: Matched DEFAULT at 163
users: Matched DEFAULT at 175
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
rlm_unix: [radtest]: invalid password
modcall[authenticate]: module "unix" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
Sending Access-Reject of id 98 to 127.0.0.1:1026
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 98 with timestamp 3c72e0a8
Nothing to do. Sleeping until we see a request.
***********************
Now, we change the config file as such:
***********************
# Define the locations of the normal passwd, shadow, and
# group files.
#
# 'shadow' is commented out by default, because not all
# systems have shadow passwords.
#
passwd = /etc/passwd
#shadow = /etc/shadow
group = /etc/group
***********************
And here is radiusd -X
************************
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: //etc/raddb/clients.conf
Config: including file: //etc/raddb/snmp.conf
Config: including file: //etc/raddb/sql.conf
main: prefix = "/"
main: localstatedir = "//var"
main: logdir = "/var/log/radiusd-freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radiusd-freeradius/radacct"
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading clients
read_config_files: reading realms
read_config_files: reading naslist
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_auth = no
main: log_auth_badpass = yes
main: log_auth_goodpass = no
main: pidfile = "//var/run/radiusd/radiusd.pid"
main: user = "root"
main: group = "root"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: proxy_requests = yes
main: debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded System
unix: cache = no
unix: passwd = "/etc/passwd"
unix: shadow = "(null)"
unix: group = "/etc/group"
unix: radwtmp = "/var/log/radiusd-freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded preprocess
preprocess: huntgroups = "//etc/raddb/huntgroups"
preprocess: hints = "//etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "//etc/raddb/users"
files: acctusersfile = "//etc/raddb/acct_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile =
"/var/log/radiusd-freeradius/radacct/%{Client-IP-Address}/detail"
detail: detailperm = 384
detail: dirperm = 493
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radiusd-freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
main: smux_password = ""
main: snmp_write_access = no
SMUX connect try 1
Can't connect to SNMP agent with SMUX: Connection refused
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on
1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:1026, id=137, length=62
User-Name = "radtest"
Password = "\002\211V\320H\373\227\223\223\302mr\232\217\016\340"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "1"
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "suffix" returns ok
users: Matched DEFAULT at 144
users: Matched DEFAULT at 163
users: Matched DEFAULT at 175
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
modcall[authenticate]: module "unix" returns ok
modcall: group authenticate returns ok
Sending Access-Accept of id 137 to 127.0.0.1:1026
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 0
Going to the next request
SMUX connect try 2
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Waking up in 6 seconds...
SMUX connect try 3
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Cleaning up request 0 ID 137 with timestamp 3c72e21c
Nothing to do. Sleeping until we see a request.
***********************
And the output of radtest
***********************
sat:/home/andrewt# radtest radtest radpass 127.0.0.1 1 testing123 3
Sending Access-Request of id 137 to 127.0.0.1:1812
User-Name = "radtest"
Password = "\002\211V\320H\373\227\223\223\302mr\232\217\016\340"
NAS-IP-Address = sat
NAS-Port-Id = "1"
Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=137, length=50
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
sat:/home/andrewt#
***********************
Now, lets try it with the wrong password
***********************
sat:/home/andrewt# radtest radtest NOTradpass 127.0.0.1 1 testing123 3
Sending Access-Request of id 166 to 127.0.0.1:1812
User-Name = "radtest"
Password = "\315Zl\270i\006l\207:\300\227\310\270C\355\342"
NAS-IP-Address = sat
NAS-Port-Id = "1"
Framed-Protocol = PPP
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=166, length=20
sat:/home/andrewt#
***************************
And the output from radiusd -X
***************************
rad_recv: Access-Request packet from host 127.0.0.1:1026, id=166, length=62
User-Name = "radtest"
Password = "\315Zl\270i\006l\207:\300\227\310\270C\355\342"
NAS-IP-Address = 255.255.255.255
NAS-Port-Id = "1"
Framed-Protocol = PPP
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "suffix" returns ok
users: Matched DEFAULT at 144
users: Matched DEFAULT at 163
users: Matched DEFAULT at 175
modcall[authorize]: module "files" returns ok
modcall: group authorize returns ok
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate
rlm_unix: [radtest]: invalid password
modcall[authenticate]: module "unix" returns reject
modcall: group authenticate returns reject
auth: Failed to validate the user.
Sending Access-Reject of id 166 to 127.0.0.1:1026
Finished request 0
Going to the next request
SMUX connect try 2
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Waking up in 6 seconds...
SMUX connect try 3
Can't connect to SNMP agent with SMUX: Connection refused
--- Walking the entire request list ---
Cleaning up request 0 ID 166 with timestamp 3c72e309
Nothing to do. Sleeping until we see a request.
******************************
----- Original Message -----
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, February 20, 2002 2:51 AM
Subject: Re: Configuring to use shadow passwords
> "Andrew Tait" <[EMAIL PROTECTED]> wrote:
> > The fix was to comment out the shadow = /etc/shadow.
> >
> > No matter what I did I couldn't get it to work, until I decided to go
back
> > to the default debian config, and try it again. Use the default config
it
> > worked. After uncommenting the shadow line again, it didn't work.
>
> Have you read the debug messages to see *why*? The messages will
> usually be helpful.
>
> Were you running the server under the correct uid to read
> /etc/shadow? Read the comments in the configuration file around the
> 'shadow' item.
>
>
> If there's a bug in the server, then we need to know what it is, and
> to fix it. If there's something unclear in the documentation, we need
> to fix that, too.
>
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
