RE: Unable to do UNIX authentication (still failing)

John Sasso Jr Sat, 10 Jan 2004 12:15:53 -0800

Phil,

Thanks for the response.  I checked radiusd.conf, which I never modified
after I installed freeradius, and the /etc/passwd et.al. entries were
commented out.  I uncommented them, restarted radiusd, but still no go.
Regarding teh DEFAULT entry on line 152, I looked at the users file (which I
also never modified after installing freeradius); this entry is:


DEFAULT Auth-Type = System
        Fall-Through = 1

which I understand to mean that authentication is done against /etc/passwd
etc.

BTW, someone suggesting restarting radiusd and even the system.  I have done
this numerous times, so that is not a solution.

I ran radtest even against my account, but I still get Access-Reject.  I
know for a fact, and have verified, that the passwords for accounts I have
tested against are valid..

Some other notes regarding the installation of freeradius that may lead to a
clue:

1. Fedora installed openssl-0.9.7a-23.  I installed openssl-0.9.6l (by
compiling and building, not via rpm) into a separate area,
/usr/local/openssl, using the command:

        ./config --prefix=/usr/local/openssl shared

I used this version of openssl because config complained about not being
able to find 0.9.6 libs

2. The startup script /etc/rc.d/init.d/radiusd sets up the environment as
shown below, so it uses the openssl 0.9.6l libs:

---------------------------------------------------------------------
prefix=/usr/local/freeradius
exec_prefix=${prefix}
sbindir=${exec_prefix}/sbin
localstatedir=${prefix}/var
logdir=/var/log/radius
rundir=${localstatedir}/run/radiusd
sysconfdir=${prefix}/etc

RADIUSD=$sbindir/radiusd
RADDBDIR=${sysconfdir}/raddb
DESC="FreeRADIUS"

LD_LIBRARY_PATH=/usr/local/openssl/lib
LD_RUN_PATH=/usr/local/openssl/lib:
LD_PRELOAD=/usr/local/openssl/lib/libcrypto.so
export LD_LIBRARY_PATH LD_RUN_PATH LD_PRELOAD

#
#  See 'man radiusd' for details on command-line options.
#
ARGS=""

test -f $RADIUSD || exit 0
test -f $RADDBDIR/radiusd.conf || exit 0

case "$1" in
  start)
        echo -n "Starting $RADIUSD $ARGS:"
        $RADIUSD $ARGS
        echo "radiusd"
        ;;
-------------------------------------------------------------------------

3. Links to openssl libraries:

# ls -l /lib/libcrypto*
lrwxrwxrwx    1 root     root           14 Jan  6 16:59
/lib/libcrypto.so.0.9.6 -> libcrypto.so.4
-rwxr-xr-x    1 root     root       994000 Sep 30 18:00
/lib/libcrypto.so.0.9.7a
lrwxrwxrwx    1 root     root           19 Jan  6 16:59
/lib/libcrypto.so.4 -> libcrypto.so.0.9.7a
# ls -l /lib/libssl*
lrwxrwxrwx    1 root     root           11 Jan  6 16:59
/lib/libssl.so.0.9.6 -> libssl.so.4
-rwxr-xr-x    1 root     root       217512 Sep 30 18:00
/lib/libssl.so.0.9.7a
lrwxrwxrwx    1 root     root           16 Jan  6 16:59 /lib/libssl.so.4 ->
libssl.so.0.9.7a
# ls -l /usr/lib/libcrypto*
-rw-r--r--    1 root     root      1893910 Sep 30 18:00 /usr/lib/libcrypto.a
-rw-r--r--    1 root     root      1893910 Sep 30 18:00
/usr/lib/libcrypto.a.orig
lrwxrwxrwx    1 root     root           29 Jan  6 16:54
/usr/lib/libcrypto.so -> ../../lib/libcrypto.so.0.9.7a
lrwxrwxrwx    1 root     root           31 Jan  5 22:24
/usr/lib/libcrypto.so.0.9.6 -> ../local/lib/libcrypto.so.0.9.6
lrwxrwxrwx    1 root     root           31 Jan  5 22:23
/usr/lib/libcrypto.so.0.9.6.1 -> ../local/lib/libcrypto.so.0.9.6
lrwxrwxrwx    1 root     root           19 Jan  6 17:28
/usr/lib/libcrypto.so.4 -> /lib/libcrypto.so.4
# ls -l /usr/lib/libssl*
-rwxr-xr-x    1 root     root       123928 Oct 30 17:07 /usr/lib/libssl3.so
-rw-r--r--    1 root     root       329464 Sep 30 18:00 /usr/lib/libssl.a
-rw-r--r--    1 root     root       329464 Sep 30 18:00
/usr/lib/libssl.a.orig
lrwxrwxrwx    1 root     root           26 Jan  6 16:54
/usr/lib/libssl.so -> ../../lib/libssl.so.0.9.7a
lrwxrwxrwx    1 root     root           28 Jan  5 22:26
/usr/lib/libssl.so.0.9.6 -> ../local/lib/libssl.so.0.9.6
lrwxrwxrwx    1 root     root           15 Jan  5 22:26
/usr/lib/libssl.so.0.9.6.1 -> libssl.so.0.9.6
lrwxrwxrwx    1 root     root           15 Jan  5 17:44
/usr/lib/libssl.so.4 -> libssl.so.0.9.6


4. I built freeradius 0.9.3 as follows:

Modified ./src/modules/rlm_eap/types/rlm_eap_tls/Makefile
       ./src/modules/rlm_ldap/Makefile
       ./src/modules/rlm_x99_token/Makefile
       ./src/modules/rlm_krb5/Makefile

and added the following to the end of RLM_CFLAGS

        -L/usr/local/openssl/lib -I/usr/local/openssl/include

Then ran:

LDFLAGS="-L/usr/local/openssl/lib" CPPFLAGS="-I/usr/local/openssl/include" \
./configure --with-experimental-modules --with-logdir=/var/log/radius --pref
ix=/usr/local/freeradius --sysconfdir=/etc



Again, I have gone through process traces (strace), debug output, and even
info from the O'Reilly RADIUS book to figure out what the heck is going on.
I'm trying to get a working RADIUS server going for a corporate security
project, which will eventually involve EAP/TLS,TTLS,PEAP.

Any other hints and advice that will help me resolve the problem are greatly
appreciated.

---john




> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf
> Of Phillip
> Ames
> Sent: Thursday, January 08, 2004 6:33 PM
> To: [EMAIL PROTECTED]
> Subject: RE: Unable to do simple UNIX authentication
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On
> > Behalf Of John Sasso Jr
> > Sent: Friday, January 09, 2004 6:21 AM
> > To: [EMAIL PROTECTED]
> > Subject: Unable to do simple UNIX authentication
>
> [snip]
> >  modcall[authorize]: module "suffix" returns noop for request 0
> >    users: Matched DEFAULT at 152
> >   modcall[authorize]: module "files" returns ok for request 0
> >   modcall[authorize]: module "mschap" returns noop for request 0
> > modcall: group authorize returns ok for request 0
> >   rad_check_password:  Found Auth-Type System
> > auth: type "System"
> > modcall: entering group authenticate for request 0
> > rlm_unix: [test]: invalid password
> >   modcall[authenticate]: module "unix" returns reject for request 0
> > modcall: group authenticate returns reject for request 0
> > auth: Failed to validate the user.
>
>
> Seems like the "unix" module is killing you.  As Alan DeKok
> was kind enough
> to explain to me, in the users file, if "Auth-Type" is set to
> Local then it
> will authenticate against things in the users file (and from
> the logs it
> looks like your "files" module is allowing access).  Is it
> perhaps set to
> "System" authentication?  That might be trying to
> authenticate the user
> "test" against "t1e2s3t4" in your /etc/passwd.  The other
> thing I saw of
> interest was that a "DEFAULT" was matched at line 152.  I'd
> look into what
> that DEFAULT says to do.
>
> -Phil
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Unable to do UNIX authentication (still failing)

Reply via email to