Re: Pam radius authentication
Isn't there anyone who tried this implementation? Hi! if you are reffering to this line: account required pam_radius_auth.so debug than here is the explanation: The pam configuration can be: ... auth sufficient /lib/security/pam_radius_auth.so [options] ... accountsufficient /lib/security/pam_radius_auth.so (this is taken from http://www.freeradius.org/pam_radius_auth/USAGE) On the other hand, I don't care if I don't use this module for accounting. As a matter of fact, I tried in many configurations, even without using it for accounting. The main concern is to succed in authetincating the users!!! if anyone can help me accomplish that, I would be happy and I will not mind about accounting... Hi, I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug explain alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
First of all, thank you for your reply. Until now, you are the only one. Now, let's take it step by step: This is a part of INSTALL: ** Redhat Linux 5.0 ** make. Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so In the per-application configuration (/etc/pam.d/application) add: auth sufficient /lib/security/pam_radius_auth.so AFTER auth required /lib/security/pam_securetty.so and BEFORE auth required /lib/security/pam_unix_auth.so i.e. auth required /lib/security/pam_securetty.so auth sufficient /lib/security/pam_radius_auth.so auth required /lib/security/pam_unix_auth.so My linux is RedHat 9, so this part pertains to my machine : Redhat Linux 5.0 make. Copy 'pam_radius_auth.so' to /lib/security/pam_radius_auth.so - already did... In the per-application configuration (/etc/pam.d/application) add: - I want to use pam radius to authenticate ssh logins, so (/etc/pam.d/application) becomes /etc/pam.d/sshd auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so -this part from INSTALL is identical to my /etc/pam.d/sshd...all of this modules deal with authentication (auth). pam_securetty verifies if root can login through tty by reading /etc/securetty. required means that this step is mandatory and that after this verification, the next authentication method will take place. this is where pam_radius_auth comes. the messages are exchanged as explained in my my previuos e-mail. sufficient means that if this authentication succeeds, the following authentication methods will not be checked...in other terms: auth required /lib/security/pam_unix_auth.so will be passed. I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! Again, any help would be appreciated! Hi, anyone??? pls!!! no suggestions at all ? :( I'd read the INSTALL doc that coems as part of the pam_radius tool. - cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug password required pam_stack.so service=system-auth sessionrequired pam_stack.so service=system-auth sessionrequired pam_limits.so sessionoptional pam_console.so no. your invoking pam_radius_auth in the wrong place and for the wrong reason. again the INSTALL is your friend. your radius configuration appears to be correct alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
Hi! if you are reffering to this line: account required pam_radius_auth.so debug than here is the explanation: The pam configuration can be: ... auth sufficient /lib/security/pam_radius_auth.so [options] ... accountsufficient /lib/security/pam_radius_auth.so (this is taken from http://www.freeradius.org/pam_radius_auth/USAGE) On the other hand, I don't care if I don't use this module for accounting. As a matter of fact, I tried in many configurations, even without using it for accounting. The main concern is to succed in authetincating the users!!! if anyone can help me accomplish that, I would be happy and I will not mind about accounting... Hi, I don't understand why you are saying that you are invoking pam_radius_auth in the wrong place and for the wrong reason...please, be more specific and if you know the right configuration, enlight me! #%PAM-1.0 auth required pam_securetty.so auth sufficient pam_radius_auth.so debug auth required /lib/security/pam_unix_auth.so accountrequired pam_radius_auth.so debug explain alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam radius authentication
anyone??? pls!!! no suggestions at all ? :(
Pe 12 Oct 2006, la 12:46, [EMAIL PROTECTED] a scris:
Hello!
I try to authenticate ssh users logins using pam_radius_auth.so.
On my RedHat 9 I have the following setup:
- freeradius server
- users file:
testAuth-Type := Local, User-Password == test
- clients.conf
client 127.0.0.1 {
secret = secret
shortname = localhost
}
-pam radius module
- cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so
accountrequired pam_radius_auth.so debug
password required pam_stack.so service=system-auth
sessionrequired pam_stack.so service=system-auth
sessionrequired pam_limits.so
sessionoptional pam_console.so
-cat /etc/raddb/server
127.0.0.1 secret 1
- pam_radius_auth.so is copied in /lib/security
-I created linux user test with home directory /home/test , without setting up
a password
- freeradius started with radiusd -X
Problem is that, when I trie to connect to this machine using ssh, the radius
server receives the request, processes it, sends access-accept, but the ssh
session is ended, without the user being really logged in !!! I don't know the
reason why the user gets rejected...
tail -f /var/log/secure
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1108551052.
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: Got RADIUS response
code 2
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: authentication succeeded
Oct 12 11:06:27 D-Server sshd[26585]: Accepted password for test from
10.243.30.42 port 2847 ssh2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got user name test
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Sending RADIUS request
code 1
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1108551052.
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got RADIUS response
code 2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: authentication succeeded
Oct 12 11:28:30 D-Server sshd[26590]: Accepted password for test from
10.243.30.42 port 2881 ssh2
from radiusd -X :
rad_recv: Access-Request packet from host 127.0.0.1:27615, id=253, length=97
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Identifier = sshd
NAS-Port = 26590
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 512wyse83.cosmote.rom
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry test at line 80
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 253 to 127.0.0.1 port 27615
Finished request 0
thank you!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam radius authentication
Hello!
I try to authenticate ssh users logins using pam_radius_auth.so.
On my RedHat 9 I have the following setup:
- freeradius server
- users file:
testAuth-Type := Local, User-Password == test
- clients.conf
client 127.0.0.1 {
secret = secret
shortname = localhost
}
-pam radius module
- cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_securetty.so
auth sufficient pam_radius_auth.so debug
auth required /lib/security/pam_unix_auth.so
accountrequired pam_radius_auth.so debug
password required pam_stack.so service=system-auth
sessionrequired pam_stack.so service=system-auth
sessionrequired pam_limits.so
sessionoptional pam_console.so
-cat /etc/raddb/server
127.0.0.1 secret 1
- pam_radius_auth.so is copied in /lib/security
-I created linux user test with home directory /home/test , without setting up
a password
- freeradius started with radiusd -X
Problem is that, when I trie to connect to this machine using ssh, the radius
server receives the request, processes it, sends access-accept, but the ssh
session is ended, without the user being really logged in !!! I don't know the
reason why the user gets rejected...
tail -f /var/log/secure
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1108551052.
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: Got RADIUS response code
2
Oct 12 11:06:27 D-Server sshd[26585]: pam_radius_auth: authentication succeeded
Oct 12 11:06:27 D-Server sshd[26585]: Accepted password for test from
10.243.30.42 port 2847 ssh2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got user name test
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Sending RADIUS request
code 1
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 1108551052.
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: Got RADIUS response code
2
Oct 12 11:28:30 D-Server sshd[26590]: pam_radius_auth: authentication succeeded
Oct 12 11:28:30 D-Server sshd[26590]: Accepted password for test from
10.243.30.42 port 2881 ssh2
from radiusd -X :
rad_recv: Access-Request packet from host 127.0.0.1:27615, id=253, length=97
User-Name = test
User-Password = test
NAS-IP-Address = 127.0.0.1
NAS-Identifier = sshd
NAS-Port = 26590
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 512wyse83.cosmote.rom
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
modcall[authorize]: module mschap returns noop for request 0
rlm_realm: No '@' in User-Name = test, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module eap returns noop for request 0
users: Matched entry test at line 80
modcall[authorize]: module files returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 253 to 127.0.0.1 port 27615
Finished request 0
thank you!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
