SSH authendication with radius server fails if the user does not exist in radius client
Hi, I am trying to authenticate ssh login using radius server running in another linux machine. I added a new user in /usr/local/etc/raddb/users of radius server. Now when I do ssh to the radius client, the radius server denies request and says 'Password doesn't match. But I gave right password. If I add the new user in radius client machine, then if I do ssh, the server accepts and authenticates the request. So it looks like the radius client is not sending the password to radius server if the user does not exist in local machine. Do I need to configure anywhere in client or server to skip the local machine user check. Please help me to solve this issue. Thanks in advance. Regards, Dhandapani -- View this message in context: http://www.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-tp24074268p24074268.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH authendication with radius server fails if the user does not exist in radius client
So it looks like the radius client is not sending the password to radius server if the user does not exist in local machine. Yes, that's how PAM works. It can't authenticate users that don't exist locally (think about it - if user/group is not defined locally what will user be able to access on the machine). Nothing to do with radius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH authendication with radius server fails if the user does not exist in radius client
Thanks a lot Ivan for the clarification. I am feeling like working with you. Do you mean the radius server can be only used for password authentication in case of ssh/telnet? Can't we login using the centralized username/password? Regards, Dhandapani Ivan Kalik wrote: So it looks like the radius client is not sending the password to radius server if the user does not exist in local machine. Yes, that's how PAM works. It can't authenticate users that don't exist locally (think about it - if user/group is not defined locally what will user be able to access on the machine). Nothing to do with radius. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-tp24074268p24075986.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH authendication with radius server fails if the user does not exist in radius client
Do you mean the radius server can be only used for password authentication in case of ssh/telnet? Yes. Can't we login using the centralized username/password? No, that can't work. Let's say that you were authenticated and reached the shell as a nonexistant local user. How is he suposed to access anything or execute any commands? No permissions would apply to him. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SSH authendication with radius server fails if the user does not exist in radius client
Yes. Got it. Thanks Ivan. Regards, Dhandapani Ivan Kalik wrote: Do you mean the radius server can be only used for password authentication in case of ssh/telnet? Yes. Can't we login using the centralized username/password? No, that can't work. Let's say that you were authenticated and reached the shell as a nonexistant local user. How is he suposed to access anything or execute any commands? No permissions would apply to him. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- View this message in context: http://www.nabble.com/SSH-authendication-with-radius-server-fails-if-the-user-does-not-exist-in-radius-client-tp24074268p24077890.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html