Login with ssh using pam_radius and a template_user
Hello list, I've searched and googled quite a bit for a solution to this, but didn't find any. I can't get PAM_RADIUS working with a TEMPLATE_USER for remote logins with SSHD. If I overlooked anything, any hints will be highly appreciated. The situation is as follows: A radius authorization backend system, server A, has user ALICE, with a password, and user BOB, with a password. Another server, server B, is using PAM_RADIUS for radius authentication on SSHD for remote logins. While attempting to figure out how pam_radius works on server B, pam (/etc/pam.d/sshd) is configured like this: authsufficient pam_radius.so try_first_pass template_user=bob debug account sufficient pam_radius.so template_user=bob debug passwordsufficient pam_radius.so try_first_pass template_user=bob debug On server B, Bob has a plain vanilla Unix account in /etc/passwd, with an existing shell and homedirectory. When using the pam config shown above, Bob is asked for his radius password from server A (as expected) when he tries to login with ssh. This works perfectly Ok for Bob: Radius authentication is working on server B when using ssh to login - in this case regardless of his password. So far so good. Since Bob has special privileges on server B, his account will be the template for a small group of other users, effectively sharing the bob-account - not Bobs' password - with others. Template_user should provide for this, from the pam_radius man-page: template_user=username specifies a user whose passwd(5) entry will be used as a tem- plate to create the session environment if the supplied user- name does not exist in local password database. The user will be authenticated with the supplied username and pass- word, but his credentials to the system will be presented as the ones for username, i.e., his login class, home directory, resource limits, etc. will be set to ones defined for username. If this option is omitted, and there is no username in the system databases equal to the supplied one (as determined by call to getpwnam(3)), the authentication will fail. As pam is configured with 'template_user=bob', it would be expected that user 'alice' - an account that doesn't exist on server B in /etc/passwd - should be able to login with ssh since Bob can login... Oddly enough, logging in ONLY works for user 'alice' when the account exists in /etc/passwd on server B. Which would still require all the accounts being present on server B, and thus defeating the purpose of a template_user. It seems that template_user has no effect, no matter which password (alice/bob) is used. Sshd is actually complaining about pam: fatal: Internal error: PAM auth succeeded when it should have failed. From what I've googled it seems that this topic is returning every now and then, without any clear solution. Some do indeed point to OpenSSH (http://www.usenet-forums.com/openssh-development/336942-sshd-pam_radius-under-freebsd.html#post706102). I haven't tested this with telnetd or others. To put it another way: I've found no document that explains why a pam_radius template_user shouldn't work with sshd. Can this be done at all? Am I overlooking anything? Should I send-pr this? Or am I totally misreading the man-page? Any help is much appreciated. Thanks! Jacco ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: pam_radius
On Tue, 2 Aug 2005, Sean P. Malone wrote: I’m rolling out a new email system and would love it if I could get that system to authentic the user off of our existing Active Directory user database. As I understand, the pam_radius module should enable me to achieve the task. However, the only instructions that I’ve been able to find are at: https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/PamRadius?shin=print.patern While these are helpful, I’m still not able to get my BSD system to authenticate against a MS IAS – although the attempts are logged on the IAS box without error. Does anyone know of a good additional source of information? I've had it working happily both against freeradius and against an ACE (securid) radius server, never tried with windows, I may have a go tomorrow at work. The only thing I found was for ssh authentication I had to have a user of that name on the freebsd box, for login/telnet I could use the template_user option. I guess thats something in ssh. Other than that the man pages for pam_radius and radius.conf were enough to get it going. Like I said I'll have a look tomorrow if I get a chance. Vince Thanks! Sean ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pam_radius
I’m rolling out a new email system and would love it if I could get that system to authentic the user off of our existing Active Directory user database. As I understand, the pam_radius module should enable me to achieve the task. However, the only instructions that I’ve been able to find are at: https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/PamRadius?shin=print.patern While these are helpful, I’m still not able to get my BSD system to authenticate against a MS IAS – although the attempts are logged on the IAS box without error. Does anyone know of a good additional source of information? Thanks! Sean ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pam_radius and ssh
Hi all, I've been looking into using the pam_radius pam module and have been trying out the template_user feature as this would ease the administrative burden in our setup, (it allows a user to be specified as a template if the radius user does not have a local account.) I can get it to work fine for login and telnetd, but sshd seems to have a problem. If a local user with the same name as the radius user exists then no problem, if not then the template_user should kick in, however it doesnt, in fact if the user does not exist localy then the pam_radius module is never even invoked, or at least it never sends any query to the radius server. I'm guessing that sshd checks for a valid user even when its using PAM authentication and halts any further progress. Is there any way to turn this off? thank, Vince ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
pam_radius and logins (2nd request for help)
Hello, I am attempting to centralize login credentials via RADIUS, as opposed to the current [evil] NIS. Currently, a telnet to my RADIUS authenticated [PAM] host goes like this: su-2.05a# telnet localhost Trying 127.0.0.1... Connected to localhost.mfn.org. Escape character is '^]'. Trying SRA secure login: User (root): test Password: --- RADIUS PW is accepted according [ SRA accepts you ] to logs. FreeBSD/i386 (STEELMILL) (ttyp1) RADIUS password:--- RADIUS again sends an accept, but... Login incorrect login: It looks to me like telnetd is getting it right, but the login process is missing it. I have tried many variation of the default pam.conf with no changes. I have noticed that if I place a passwd entry for test, using * for the password, auth works. This led me to try using template_user=nobody, without success. Does anybody have RADIUS auth working for direct logins? (The NAS are fine, it's just telnet/login/ssh on the BSD boxen themselves that are borked... Please copy me directly, as I am not currently subscribed. P.S. How's 5.0 looking for the targeted release date? Inquiring daemons want to know! -- Yours, J.A. Terranson [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message