Re: Pam radius authentication
Isn't there anyone who tried this implementation? Hi! if you are reffering to this line: account required pam_radius_auth.so debug than here is the explanation: The pam configuration can be: ... auth sufficient /lib/security/pam_radius_auth.so [options] ... accountsufficient /lib/security/pam_radius_auth.so (this is taken from http://www.freeradius.org/pam_radius_auth/USAGE) On the other hand, I don't care if I don't use this module for accounting. As a matter of fact, I tried in many configurations, even without using it for accounting. The main concern is to succed in authetincating the users!!! if anyone can help me accomplish that, I would be happy and I will not mind about accounting... Hi, I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug explain alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
First of all, thank you for your reply. Until now, you are the only one. Now, let's take it step by step: This is a part of INSTALL: ** Redhat Linux 5.0 ** make. Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so In the per-application configuration (/etc/pam.d/application) add: auth sufficient /lib/security/pam_radius_auth.so AFTER auth required /lib/security/pam_securetty.so and BEFORE auth required /lib/security/pam_unix_auth.so i.e. auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so auth required /lib/security/pam_unix_auth.so My linux is RedHat 9, so this part pertains to my machine : Redhat Linux 5.0 make. Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so - already did... In the per-application configuration (/etc/pam.d/application) add: - I want to use pam radius to authenticate ssh logins, so (/etc/pam.d/application) becomes /etc/pam.d/sshd auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so -this part from INSTALL is identical to my /etc/pam.d/sshd...all of this modules deal with authentication (auth). pam_securetty verifies if root can login through tty by reading /etc/securetty. required means that this step is mandatory and that after this verification, the next authentication method will take place. this is where pam_radius_auth comes. the messages are exchanged as explained in my my previuos e-mail. sufficient means that if this authentication succeeds, the following authentication methods will not be checked...in other terms: auth required /lib/security/pam_unix_auth.so will be passed. I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! Again, any help would be appreciated! Hi, anyone??? pls!!! no suggestions at all ? :( I'd read the INSTALL doc that coems as part of the pam_radius tool. - cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so no. your invoking pam_radius_auth in the wrong place and for the wrong reason. again the INSTALL is your friend. your radius configuration appears to be correct alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Hi! if you are reffering to this line: account required pam_radius_auth.so debug than here is the explanation: The pam configuration can be: ... auth sufficient /lib/security/pam_radius_auth.so [options] ... accountsufficient /lib/security/pam_radius_auth.so (this is taken from http://www.freeradius.org/pam_radius_auth/USAGE) On the other hand, I don't care if I don't use this module for accounting. As a matter of fact, I tried in many configurations, even without using it for accounting. The main concern is to succed in authetincating the users!!! if anyone can help me accomplish that, I would be happy and I will not mind about accounting... Hi, I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug explain alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
anyone??? pls!!! no suggestions at all ? :( Pe 12 Oct 2006, la 12:46, [EMAIL PROTECTED] a scris: Hello! I try to authenticate ssh users logins using pam_radius_auth.so. On my RedHat 9 I have the following setup: - freeradius server - users file: testAuth-Type := Local, User-Password == test - clients.conf client 127.0.0.1 { secret = secret shortname = localhost } -pam radius module - cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so -cat /etc/raddb/server 127.0.0.1 secret 1 - pam_radius_auth.so is copied in /lib/security -I created linux user test with home directory /home/test , without setting up a password - freeradius started with radiusd -X Problem is that, when I trie to connect to this machine using ssh, the radius server receives the request, processes it, sends access-accept, but the ssh session is ended, without the user being really logged in !!! I don't know the reason why the user gets rejected... tail -f /var/log/secure Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1108551052. Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: Got RADIUS response code 2 Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: authentication succeeded Oct 12 11:06:27 D-Server sshd[26585]: Accepted password for test from 10.243.30.42 port 2847 ssh2 Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got user name test Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Sending RADIUS request code 1 Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1108551052. Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got RADIUS response code 2 Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: authentication succeeded Oct 12 11:28:30 D-Server sshd[26590]: Accepted password for test from 10.243.30.42 port 2881 ssh2 from radiusd -X : rad_recv: Access-Request packet from host 127.0.0.1:27615, id=253, length=97 User-Name = test User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Identifier = sshd NAS-Port = 26590 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 512wyse83.cosmote.rom Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry test at line 80 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 253 to 127.0.0.1 port 27615 Finished request 0 thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam radius authentication
Hello! I try to authenticate ssh users logins using pam_radius_auth.so. On my RedHat 9 I have the following setup: - freeradius server - users file: testAuth-Type := Local, User-Password == test - clients.conf client 127.0.0.1 { secret = secret shortname = localhost } -pam radius module - cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so -cat /etc/raddb/server 127.0.0.1 secret 1 - pam_radius_auth.so is copied in /lib/security -I created linux user test with home directory /home/test , without setting up a password - freeradius started with radiusd -X Problem is that, when I trie to connect to this machine using ssh, the radius server receives the request, processes it, sends access-accept, but the ssh session is ended, without the user being really logged in !!! I don't know the reason why the user gets rejected... tail -f /var/log/secure Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1108551052. Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: Got RADIUS response code 2 Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: authentication succeeded Oct 12 11:06:27 D-Server sshd[26585]: Accepted password for test from 10.243.30.42 port 2847 ssh2 Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got user name test Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Sending RADIUS request code 1 Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1108551052. Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got RADIUS response code 2 Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: authentication succeeded Oct 12 11:28:30 D-Server sshd[26590]: Accepted password for test from 10.243.30.42 port 2881 ssh2 from radiusd -X : rad_recv: Access-Request packet from host 127.0.0.1:27615, id=253, length=97 User-Name = test User-Password = test NAS-IP-Address = 127.0.0.1 NAS-Identifier = sshd NAS-Port = 26590 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = 512wyse83.cosmote.rom Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = test, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched entry test at line 80 modcall[authorize]: module files returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 253 to 127.0.0.1 port 27615 Finished request 0 thank you! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html