System

Jason Godsey Sun, 3 Jan 1999 11:30:20 -0800

Here I run radiator w/ AuthBY unix and system, showing mixed 
results, if authby system worked w/ shadow on linux, I'd be
all set, or if authby unix had a seperate directive for passwordfilename,
shadowfilename, and groupfilename it'd work also :)


[root@jason raddb]# tail -n 2 /etc/passwd /etc/shadow /etc/group
==> /etc/passwd <==
bob:x:516:516::/home/bob:/bin/bash
bob2:8OdzREbpXQKaY:516:10000::/home/bob:/bin/bash

==> /etc/shadow <==
bob2:8OdzREbpXQKaY:10900:0:99999:7:-1:-1:134537292
bob:8OdzREbpXQKaY:10900:0:99999:7:-1:-1:134537292

==> /etc/group <==
ppp:x:10000:bob,jason,root
shutoff:x:11000:jason

(bob2 has primary group of 10k, bob has secondary group of 10k used tward the end)

Radiator Config: (part that matters)

<Realm ip.nu>
        RewriteUsername s/^([^@]+).*/$1/
        <AuthBy SYSTEM>
        # This is suposed to work :)        
        </AuthBy>
</Realm>


Radiator Output:

        User-Password = "<169>c<171><209>t<163>U<21><4><206><230>O<176><<201>l"

Fri Nov  5 14:55:33 1999: DEBUG: Handling request with Handler 'Realm=ip.nu'
Fri Nov  5 14:55:33 1999: DEBUG: Rewrote user name to bob
Fri Nov  5 14:55:33 1999: DEBUG: Deleting session for bob, 203.63.154.1, 1234
Fri Nov  5 14:55:33 1999: DEBUG: Handling with Radius::AuthSYSTEM
Fri Nov  5 14:55:33 1999: DEBUG: getpwnam got bob, x, 516, 516, , , , /home/bob, 
/bin/bash
Fri Nov  5 14:55:33 1999: DEBUG: Radius::AuthSYSTEM looks for match with bob
Fri Nov  5 14:55:33 1999: DEBUG: Radius::AuthSYSTEM REJECT: Bad Encrypted-Password
Fri Nov  5 14:55:33 1999: INFO: Access rejected for bob: Bad Encrypted-Password
Fri Nov  5 14:55:33 1999: DEBUG: Packe  Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        NAS-Port-Type = Async
        User-Password = "<169>c<171><209>t<163>U<21><4><206><230>O<176><<201>l"

Fri Nov  5 14:55:38 1999: DEBUG: Handling request with Handler 'Realm=ip.nu'
Fri Nov  5 14:55:38 1999: DEBUG: Rewrote user name to bob2
Fri Nov  5 14:55:38 1999: DEBUG: Deleting session for bob2, 203.63.154.1, 1234
Fri Nov  5 14:55:38 1999: DEBUG: Handling with Radius::AuthSYSTEM
Fri Nov  5 14:55:38 1999: DEBUG: getpwnam got bob2, 8OdzREbpXQKaY, 516, 516, , , , 
/home/bob, /bin/bash
Fri Nov  5 14:55:38 1999: DEBUG: Radius::AuthSYSTEM looks for match with bob2
Fri Nov  5 1Authentic:  1234567890123456
Attributes:
        User-Name = "bob2"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        NAS-Port-Type = Async
        User-Password = "<169>c<171><209>t<163>U<21><4><206><230>O<176><<201>l"

Fri Nov  5 15:57:15 1999: DEBUG: Handling request with Handler 'Realm=ip.nu'
Fri Nov  5 15:57:15 1999: DEBUG: Rewrote user name to bob2
Fri Nov  5 15:57:15 1999: DEBUG: Deleting session for bob2, 203.63.154.1, 1234
Fri Nov  5 15:57:15 1999: DEBUG: Handling with Radius::AuthUNIX
Fri Nov  5 15:57:15 1999: DEBUG: Radius::AuthUNIX looks for match with bob2
Fri Nov  5 15:57:Authentic:  1234567890123456
Attributes:
        User-Name = "bob"
        Service-Type = Framed-User
        NAS-IP-Address = 203.63.154.1
        NAS-Port = 1234
        NAS-Port-Type = Async
        User-Password = "<169>c<171><209>t<163>U<21><4><206><230>O<176><<201>l"

Fri Nov  5 15:58:15 1999: DEBUG: Handling request with Handler 'Realm=ip.nu'
Fri Nov  5 15:58:15 1999: DEBUG: Rewrote user name to bob
Fri Nov  5 15:58:15 1999: DEBUG: Deleting session for bob, 203.63.154.1, 1234
Fri Nov  5 15:58:15 1999: DEBUG: Handling with Radius::AuthUNIX
Fri Nov  5 15:58:15 1999: DEBUG: Radius::AuthUNIX looks for match with bob
Fri Nov  5 15:58:15 1999: DEBUG: Radius::AuthUNIX ACCEPT:
Fri Nov  5 15:58:15 1999: DEBUG: Access accepted for bob
Fri Nov  5 15:58:15 1999: DEBUG: Packet dump:
*** Sending to 192.168.1.1 port 1051 ....
Code:       Access-Accept
Identifier: 134
Authentic:  1234567890123456
Attributes:



Here both bob and bob2 are authenticated, however when using a more complex 
radiator.cfg which
uses the users file to check users group, we can only use authby unix, not system 
(first output).
AuthBy UNIX checks the users secondary group just fine, just not the primary..




Fri Nov  5 16:16:04 1999: DEBUG: Handling with Radius::AuthFILE
Fri Nov  5 16:16:04 1999: DEBUG: Radius::AuthFILE looks for match with bob2
Fri Nov  5 16:16:04 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT
Fri Nov  5 16:16:04 1999: WARNING: This AuthBy does not know how to check Group 
membership
Fri Nov  5 16:16:04 1999: DEBUG: Radius::AuthFILE REJECT: User bob2 is not in Group 
shutoff
Fri Nov  5 16:16:04 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT1
Fri Nov  5 16:16:04 1999: DEBUG: Handling with Radius::AuthSYSTEM
Fri Nov  5 16:16:04 1999: DEBUG: getpwnam got bob2, 8OdzREbpXQKaY, 516, 10000, , , , 
/home/bob, /bin/bash
Fri Nov  5 16:16:04 1999: DEBUG: Radius::AuthSYSTEM looks for match with bob2
Fri Nov  5 16:16:04 1999: DEBUG: Radius::AuthSYSTEM ACCEPT: 
Fri Nov  5 16:16:04 1999: DEBUG: Radius::AuthFILE ACCEPT: 
Fri Nov  5 16:16:04 1999: DEBUG: Access accepted for bob2
Fri Nov  5 16:16:04 1999: DEBUG: Packet dump:
*** Sending to 192.168.1.1 port 1051 ....
  .
 / \
  |
  |
AuthBy SYSTEM checks primary & secondary groups, however it doesn't work w/ shadow on 
linux


Fri Nov  5 16:18:00 1999: DEBUG: Handling with Radius::AuthSYSTEM
Fri Nov  5 16:18:00 1999: DEBUG: getpwnam got bob, x, 516, 516, , , , /home/bob, 
/bin/bash
Fri Nov  5 16:18:00 1999: DEBUG: Radius::AuthSYSTEM looks for match with bob
Fri Nov  5 16:18:00 1999: DEBUG: Radius::AuthSYSTEM REJECT: Bad Encrypted-Password
Fri Nov  5 16:18:00 1999: DEBUG: Radius::AuthFILE REJECT: Bad Encrypted-Password
Fri Nov  5 16:18:00 1999: INFO: Access rejected for bob: Bad Encrypted-Password

  .
 / \
  |
  |
This is with a user who has their password only in /etc/shadow


<Realm DEFAULT>
        <AuthBy FILE>
                Filename ./users
        </AuthBy>
        # Log accounting to the detail file in LogDir
        AcctLogFileName ./detail
</Realm>

# This clause defines an authorisation method that will be used
# by any users in the database with Auth-Type="System". It will
# match the "Identifier System"
<AuthBy SYSTEM>
        Identifier System
</AuthBy>

Is what I'm using above.

users:


DEFAULT Group = "shutoff", Auth-Type = Reject

DEFAULT Auth-Type = System, Group = "ppp"
        Service-Type = Framed-User,
        FraFri Nov  5 16:23:30 1999: DEBUG: Radius::AuthFILE looks for match with bob2
Fri Nov  5 16:23:30 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT
Fri Nov  5 16:23:30 1999: WARNING: This AuthBy does not know how to check Group 
membership
Fri Nov  5 16:23:30 1999: DEBUG: Radius::AuthFILE REJECT: User bob2 is not in Group 
shutoff
Fri Nov  5 16:23:30 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT1
Fri Nov  5 16:23:30 1999: DEBUG: Handling with Radius::AuthUNIX
Fri Nov  5 16:23:30 1999: DEBUG: Radius::AuthUNIX looks for match with bob2
Fri Nov  5 16:23:30 1999: DEBUG: Radius::AuthUNIX REJECT: User bob2 is not in Group ppp
Fruid=516(bob) gid=516(bob) groups=10000(ppp)

Fri Nov  5 16:25:26 1999: DEBUG: Handling with Radius::AuthFILE
Fri Nov  5 16:25:26 1999: DEBUG: Reading users file ./users
Fri Nov  5 16:25:26 1999: DEBUG: Radius::AuthFILE looks for match with bob
Fri Nov  5 16:25:26 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT
Fri Nov  5 16:25:26 1999: DEBUG: Handling with Radius::AuthUNIX
Fri Nov  5 16:25:26 1999: DEBUG: Radius::AuthUNIX looks for match with bob
Fri Nov  5 16:25:26 1999: DEBUG: Radius::AuthUNIX ACCEPT:
Fri Nov  5 16:25:26 1999: DEBUG: Radius::AuthFILE ACCEPT:
Fri Nov  5 16:25:26 1999: DEBUG: Access accepted for bob
Fri Nov  5 16Fri Nov  5 16:26:55 1999: DEBUG: Radius::AuthFILE looks for match with bob
Fri Nov  5 16:26:55 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT
Fri Nov  5 16:26:55 1999: DEBUG: Handling with Radius::AuthUNIX
Fri Nov  5 16:26:55 1999: DEBUG: Radius::AuthUNIX looks for match with bob
Fri Nov  5 16:26:55 1999: DEBUG: Radius::AuthUNIX REJECT: User bob is not in Group ppp
Fri Nov  5 16:26:55 1999: DEBUG: Radius::AuthFILE REJECT: User bob is not in Group ppp
Fri Nov  5 16:26:55 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT1
Fri Nov  5 16:26:55 1999: WARNING: This AuthBy does not know how to check Group 
membership
Fri Nov  5 16:26:55 1999: DEBUG: Radius::AuthFILE REJECT: User bob is not in Group 
shutoff
Fri Nov  5 16:26:55 1999: INFO: Access rejected for bob: User bob is not in Group 
shutoff
Fri Nov  5 16:26:55 1999: DEBUG: Packet dump:
*** Sending to 192.168.1.1 port 1051 ....
Code:       Access-Reject
Identifier: 69
Authentic:  1234567890123456

This really highlights what I see an an inconsistancy, in the previous dump, it doesn't
say anything about checking to see if bob is in group ppp, however it complains that
he isn't..  Shouldn't it say "bob is in group ppp" before?

I hope this shows the problem I'm having :)

-- Jason


===
Archive at http://www.thesite.com.au/~radiator/
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR) Here is a LARGE email outlining the problems I'm haivng w/ AuthBYUnix/System

Reply via email to
