Alan, I have setup freeradius on another server (actually it was still setup from our previous testing).
(Firewalling will prevent anyone from actually trying to SSH/Telnet to this box, or sending radius requests so dont bother) The box is debian 2.2 (potato) with several packages pulled from woody (radiusd-freeradius, ssh, samba) and running md5 shadow passwords. The entry for the test account in /etc/passwd: ************************ radtest:x:1003:1003:,,,:/home/radtest:/bin/bash ************************ And /etc/shadow ************************ radtest:$1$9UsnjPML$UCZ8veUC69VSXT4hp26Hz1:11737:0:99999:7::: ************************ Here is the shadow section of the config file ************************ # Define the locations of the normal passwd, shadow, and # group files. # # 'shadow' is commented out by default, because not all # systems have shadow passwords. # passwd = /etc/passwd shadow = /etc/shadow group = /etc/group *************************** This is the output of the radtest program, as you can see, I changed the password midway to ensure that is really is "radpass" ********************** sat:/home/andrewt# radtest radtest radpass 127.0.0.1 1 testing123 3 Sending Access-Request of id 93 to 127.0.0.1:1812 User-Name = "radtest" Password = "5\326MNw\351>\331lW+\243J\251\200\271" NAS-IP-Address = sat NAS-Port-Id = "1" Framed-Protocol = PPP rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=93, length=20 sat:/home/andrewt# passwd radtest Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully sat:/home/andrewt# radtest radtest radpass 127.0.0.1 1 testing123 3 Sending Access-Request of id 98 to 127.0.0.1:1812 User-Name = "radtest" Password = "\025\245\306D\220&f\016\245\247\213\366\002\352GA" NAS-IP-Address = sat NAS-Port-Id = "1" Framed-Protocol = PPP rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=98, length=20 sat:/home/andrewt# ********************** And here is radiusd -X, running as root. ***************** sat:/etc/raddb# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: //etc/raddb/clients.conf Config: including file: //etc/raddb/snmp.conf Config: including file: //etc/raddb/sql.conf main: prefix = "/" main: localstatedir = "//var" main: logdir = "/var/log/radiusd-freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radiusd-freeradius/radacct" main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = no main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "//var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: proxy_requests = yes main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/radiusd-freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "//etc/raddb/huntgroups" preprocess: hints = "//etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "//etc/raddb/users" files: acctusersfile = "//etc/raddb/acct_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/radiusd-freeradius/radacct/%{Client-IP-Address}/detail" detail: detailperm = 384 detail: dirperm = 493 Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radiusd-freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) main: smux_password = "" main: snmp_write_access = no SMUX connect try 1 Can't connect to SNMP agent with SMUX: Connection refused Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1026, id=93, length=62 User-Name = "radtest" Password = "5\326MNw\351>\331lW+\243J\251\200\271" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "1" Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok users: Matched DEFAULT at 144 users: Matched DEFAULT at 163 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate rlm_unix: [radtest]: invalid password modcall[authenticate]: module "unix" returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Sending Access-Reject of id 93 to 127.0.0.1:1026 Finished request 0 Going to the next request SMUX connect try 2 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Waking up in 6 seconds... SMUX connect try 3 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Cleaning up request 0 ID 93 with timestamp 3c72e08c Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 127.0.0.1:1026, id=98, length=62 User-Name = "radtest" Password = "\025\245\306D\220&f\016\245\247\213\366\002\352GA" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "1" Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok users: Matched DEFAULT at 144 users: Matched DEFAULT at 163 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate rlm_unix: [radtest]: invalid password modcall[authenticate]: module "unix" returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Sending Access-Reject of id 98 to 127.0.0.1:1026 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 98 with timestamp 3c72e0a8 Nothing to do. Sleeping until we see a request. *********************** Now, we change the config file as such: *********************** # Define the locations of the normal passwd, shadow, and # group files. # # 'shadow' is commented out by default, because not all # systems have shadow passwords. # passwd = /etc/passwd #shadow = /etc/shadow group = /etc/group *********************** And here is radiusd -X ************************ Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: //etc/raddb/clients.conf Config: including file: //etc/raddb/snmp.conf Config: including file: //etc/raddb/sql.conf main: prefix = "/" main: localstatedir = "//var" main: logdir = "/var/log/radiusd-freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radiusd-freeradius/radacct" main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = no main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "//var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: proxy_requests = yes main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "(null)" unix: group = "/etc/group" unix: radwtmp = "/var/log/radiusd-freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded preprocess preprocess: huntgroups = "//etc/raddb/huntgroups" preprocess: hints = "//etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "//etc/raddb/users" files: acctusersfile = "//etc/raddb/acct_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded detail detail: detailfile = "/var/log/radiusd-freeradius/radacct/%{Client-IP-Address}/detail" detail: detailperm = 384 detail: dirperm = 493 Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radiusd-freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) main: smux_password = "" main: snmp_write_access = no SMUX connect try 1 Can't connect to SNMP agent with SMUX: Connection refused Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:1026, id=137, length=62 User-Name = "radtest" Password = "\002\211V\320H\373\227\223\223\302mr\232\217\016\340" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "1" Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok users: Matched DEFAULT at 144 users: Matched DEFAULT at 163 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate modcall[authenticate]: module "unix" returns ok modcall: group authenticate returns ok Sending Access-Accept of id 137 to 127.0.0.1:1026 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP Finished request 0 Going to the next request SMUX connect try 2 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Waking up in 6 seconds... SMUX connect try 3 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Cleaning up request 0 ID 137 with timestamp 3c72e21c Nothing to do. Sleeping until we see a request. *********************** And the output of radtest *********************** sat:/home/andrewt# radtest radtest radpass 127.0.0.1 1 testing123 3 Sending Access-Request of id 137 to 127.0.0.1:1812 User-Name = "radtest" Password = "\002\211V\320H\373\227\223\223\302mr\232\217\016\340" NAS-IP-Address = sat NAS-Port-Id = "1" Framed-Protocol = PPP rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=137, length=50 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP sat:/home/andrewt# *********************** Now, lets try it with the wrong password *********************** sat:/home/andrewt# radtest radtest NOTradpass 127.0.0.1 1 testing123 3 Sending Access-Request of id 166 to 127.0.0.1:1812 User-Name = "radtest" Password = "\315Zl\270i\006l\207:\300\227\310\270C\355\342" NAS-IP-Address = sat NAS-Port-Id = "1" Framed-Protocol = PPP rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=166, length=20 sat:/home/andrewt# *************************** And the output from radiusd -X *************************** rad_recv: Access-Request packet from host 127.0.0.1:1026, id=166, length=62 User-Name = "radtest" Password = "\315Zl\270i\006l\207:\300\227\310\270C\355\342" NAS-IP-Address = 255.255.255.255 NAS-Port-Id = "1" Framed-Protocol = PPP modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "suffix" returns ok users: Matched DEFAULT at 144 users: Matched DEFAULT at 163 users: Matched DEFAULT at 175 modcall[authorize]: module "files" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate rlm_unix: [radtest]: invalid password modcall[authenticate]: module "unix" returns reject modcall: group authenticate returns reject auth: Failed to validate the user. Sending Access-Reject of id 166 to 127.0.0.1:1026 Finished request 0 Going to the next request SMUX connect try 2 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Waking up in 6 seconds... SMUX connect try 3 Can't connect to SNMP agent with SMUX: Connection refused --- Walking the entire request list --- Cleaning up request 0 ID 166 with timestamp 3c72e309 Nothing to do. Sleeping until we see a request. ****************************** ----- Original Message ----- From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 20, 2002 2:51 AM Subject: Re: Configuring to use shadow passwords > "Andrew Tait" <[EMAIL PROTECTED]> wrote: > > The fix was to comment out the shadow = /etc/shadow. > > > > No matter what I did I couldn't get it to work, until I decided to go back > > to the default debian config, and try it again. Use the default config it > > worked. After uncommenting the shadow line again, it didn't work. > > Have you read the debug messages to see *why*? The messages will > usually be helpful. > > Were you running the server under the correct uid to read > /etc/shadow? Read the comments in the configuration file around the > 'shadow' item. > > > If there's a bug in the server, then we need to know what it is, and > to fix it. If there's something unclear in the documentation, we need > to fix that, too. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html