Re: SSH with Radius on one Server: no password match by authentication over sshd --- password match over NTRadPING
Thx - you make my day. I havn't seen the first entry in clients.conf for
localhost with the lot of comments.
Now it works fine.
Am 24.01.2011 08:35, schrieb Johan Meiring:
On 2011/01/24 02:00 AM, Marius.Meisner wrote:
/etc/pam_radius_auth.conf:*
# server[:port] shared_secret timeout (s)
_127.0.0.1 secret 2_
^
This does not match..
*/etc/freeradius/clients.conf:*
...
_client 110.110.110.0/24 {
^
this
And therefore the shared secret is incorrect.
Either fix pam to talk to the 110.110.110 address
or fix Freeradius to have the correct shared secret under the 127.0.0.1
client
Cheers,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SSH with Radius on one Server: no password match by authentication over sshd --- password match over NTRadPING
Hello,
I'm a freeradius beginner and can't get further by my problem for days -
reading a lot of stuff in dokumentation, books and forums on the net.
Using a debian system with freeradius 2.04 and OpenSSH_5.1p1 Debian-5,
OpenSSL 0.9.8g 19 on it - no NAS or other authenticator is used.
Installed freeradius - everything works fine. On my XP client I run
NTRadPING with radius secret key, user-name and passwort and get
Access-accept response (by chap, by pap - Auth-Type = System;
Cleartext-Password, Auth-Type := Local ...)
Now I installed pam package: apt-get install -y libpam-radius-auth.
make configs (added things are underlined)
*
/etc/pam_radius_auth.conf:*
# server[:port] shared_secret timeout (s)
_127.0.0.1 secret 2_
*/etc/freeradius/clients.conf:*
...
_client 110.110.110.0/24 {
secret = secret
shortname = private-net
}_
...
*/etc/pam.d/sshd*
# PAM configuration for the Secure Shell service
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale
# Standard Un*x authentication.
_auth sufficient pam_radius_auth.so_
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
accountrequired pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
sessionoptional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
sessionoptional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
sessionrequired pam_limits.so
# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple
# Standard Un*x password updating.
@include common-password
*/etc/freeradius/users*
# #
# DEFAULT
# Service-Type = Administrative-User
# On no match, the user is denied access.
_test Cleartext-Password := 123
1user Cleartext-Password := 1user
Fall-Through = No
John Cleartext-Password := 123
Reply-Message = Hello, %{User-Name}
will Auth-Type = Accept
lameuser Auth-Type := Reject
Reply-Message = Your account has been disabled.
mike Auth-Type := Local, User-Password := mike
33user Auth-Type = System
Reply-Message = Hello, %{User-Name}! Dein Passwort kommt aus
shadow,
Fall-Through = Yes_
To test secure shell session I took a system account with has no entries
in the freeradius users-file. The user can log in, but
radius-authentication failed.
rad_recv: Access-Request packet from host 127.0.0.1 port 5572, id=176,
length=89
User-Name = user
User-Password = j\205[\022\245\343/X\231\330R@\342\324\023=
NAS-IP-Address = 10.10.10.11
NAS-Identifier = sshd
NAS-Port = 4547
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 10.10.10.200
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = user, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type PAP
+- entering group PAP
rlm_pap: login attempt with password j?[?¥ã/X?ØR@âÔ?=
rlm_pap: Using CRYPT encryption.
rlm_pap: *Passwords don't match*
++[pap] returns reject
*auth: Failed to validate the user.*
*Login incorrect* (rlm_pap: CRYPT password check failed):
[user/j\205[\022\245\343/X\231\330R@\342\324\023=] (from client
localhost port 4547 cli 10.10.10.200)
WARNING: Unprintable characters in the password.Double-check
the shared secret on the server and the NAS!
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 176 to 127.0.0.1 port 5572
Waking up in 4.9 seconds.
An other example with a non system-account will and Auth-Type = Accept
passes radius authentication, but this is not what I want to have.
rad_recv: Access-Request packet from host 127.0.0.1 port 5564, id=142,
length=89
User-Name = will
User-Password =
Help - SSH with Radius on one Server: no password match by authentication over sshd --- password match over NTRadPING
Hello,
I'm a freeradius beginner and can't get further by my problem for days -
reading a lot of stuff in dokumentation, books and forums on the net.
Using a debian system with freeradius 2.04 and OpenSSH_5.1p1 Debian-5,
OpenSSL 0.9.8g 19 on it - no NAS or other authenticator is used.
Installed freeradius - everything works fine. On my XP client I run
NTRadPING with radius secret key, user-name and passwort and get
Access-accept response (by chap, by pap - Auth-Type = System;
Cleartext-Password, Auth-Type := Local ...)
Now I installed pam package: apt-get install -y libpam-radius-auth.
make configs
/etc/pam_radius_auth.conf:
# server[:port] shared_secret timeout (s)
127.0.0.1 secret 2
/etc/freeradius/clients.conf:
...
client 110.110.110.0/24 {
secret = secret
shortname = private-net
}
...
/etc/pam.d/sshd
# PAM configuration for the Secure Shell service
# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale
# Standard Un*x authentication.
auth sufficient pam_radius_auth.so
@include common-auth
# Disallow non-root logins when /etc/nologin exists.
accountrequired pam_nologin.so
# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so
# Standard Un*x authorization.
@include common-account
# Standard Un*x session setup and teardown.
@include common-session
# Print the message of the day upon successful login.
sessionoptional pam_motd.so # [1]
# Print the status of the user's mailbox upon successful login.
sessionoptional pam_mail.so standard noenv # [1]
# Set up user limits from /etc/security/limits.conf.
sessionrequired pam_limits.so
# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple
# Standard Un*x password updating.
@include common-password
/etc/freeradius/users
# #
# DEFAULT
# Service-Type = Administrative-User
# On no match, the user is denied access.
test Cleartext-Password := 123
1user Cleartext-Password := 1user
Fall-Through = No
John Cleartext-Password := 123
Reply-Message = Hello, %{User-Name}
will Auth-Type = Accept
lameuser Auth-Type := Reject
Reply-Message = Your account has been disabled.
mike Auth-Type := Local, User-Password := mike
33user Auth-Type = System
Reply-Message = Hello, %{User-Name}! Dein Passwort kommt aus
shadow,
Fall-Through = Yes
To test secure shell session I took a system account with has no entries
in the freeradius users-file. The user can log in, but
radius-authentication failed.
rad_recv: Access-Request packet from host 127.0.0.1 port 5572, id=176,
length=89
User-Name = user
User-Password = j\205[\022\245\343/X\231\330R@\342\324\023=
NAS-IP-Address = 10.10.10.11
NAS-Identifier = sshd
NAS-Port = 4547
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 10.10.10.200
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = user, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
rad_check_password: Found Auth-Type
auth: type PAP
+- entering group PAP
rlm_pap: login attempt with password j?[?¥ã/X?ØR@âÔ?=
rlm_pap: Using CRYPT encryption.
rlm_pap: Passwords don't match
++[pap] returns reject
auth: Failed to validate the user.
Login incorrect (rlm_pap: CRYPT password check failed):
[user/j\205[\022\245\343/X\231\330R@\342\324\023=] (from client
localhost port 4547 cli 10.10.10.200)
WARNING: Unprintable characters in the password.Double-check
the shared secret on the server and the NAS!
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} - user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 176 to 127.0.0.1 port 5572
Waking up in 4.9 seconds.
An other example with a non system-account will and Auth-Type = Accept
passes radius authentication, but this is not what I want to have.
rad_recv: Access-Request packet from host 127.0.0.1 port 5564, id=142,
length=89
User-Name = will
User-Password = \354-YbQ\367\036\033\034\232\262I\260\327\322\013
NAS-IP-Address = 10.10.10.11
Re: SSH with Radius on one Server: no password match by authentication over sshd --- password match over NTRadPING
On 2011/01/24 02:00 AM, Marius.Meisner wrote:
/etc/pam_radius_auth.conf:*
# server[:port] shared_secret timeout (s)
_127.0.0.1 secret 2_
^
This does not match..
*/etc/freeradius/clients.conf:*
...
_client 110.110.110.0/24 {
^
this
And therefore the shared secret is incorrect.
Either fix pam to talk to the 110.110.110 address
or fix Freeradius to have the correct shared secret under the 127.0.0.1 client
Cheers,
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
