Re: bug? in configure script
Andrew Higginbotham wrote: I was installing freeradius today and the only way I could get it to recognize my ssl install, which is in a custom location, was to change line 21268 of the 'configure' script to from Hmmm... the generated configure script looks for -lcrypto, and then throws away that information before trying to look for -lssl. Horrible. I've updated the script to manually add -lcrypto back to LIBS if it was found. That should fix the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenSSH, PAM and pam_radius_auth
I'm trying to get RADIUS authentication to work on one of our systems, but keep running into problems. For some reason it seems that the account system does not allow the user to login, and once the user has been authenticated, it drops the connection by not allowing sshd to establish credentials for the user. It seems that OpenSSH first tries to authetnicate the user with an empty password (), because if I set an empty password both in the local /etc/passwd, and on the RADIUS server, sshd is able to establish credentials for the user. Note that even with a non-empty password the authentication works, the daemon gets and OK from the radius server. There's a user with that given name in /etc/passwd. Anyone ideas about what could be wrong here? Here's the debug output from OpenSSH: debug1: userauth-request for user orbit-admin service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for orbit-admin debug1: PAM: setting PAM_RHOST to 192.168.99.111 debug1: PAM: setting PAM_TTY to ssh debug1: userauth_send_banner: sent debug1: PAM: password authentication failed for orbit-admin: Authentication failure Failed none for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: userauth-request for user orbit-admin service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=orbit-admin devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called debug1: PAM: num PAM env strings 0 Postponed keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called Accepted keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/ttyp1 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM: setting PAM_TTY to /dev/ttyp1 debug1: PAM: establishing credentials PAM: pam_setcred(): Authentication service cannot retrieve user credentials debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp1 My system-auth file: authsufficientpam_radius_auth.so debug authsufficientpam_unix.so likeauth nullok debug authrequired pam_deny.so account required pam_unix.so passwordsufficientpam_unix.so nullok use_authtok md5 passwordrequired pam_deny.so session required pam_unix.so Versions: pam_radius-1.3.17 openssh-4.5p1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSH, PAM and pam_radius_auth
[EMAIL PROTECTED] skrev: You have posted a question to the freeradius list and included a debug from - OpenSSH??? Don't you think that freeradius debug would be more helpful? As I stated, authentication in respect to RADIUS works just fine, therefor here's not need for the debug output from pam_radius_auth. I post to the freeradius list because the pam_radius_auth PAM module is part of the FreeRADIUS project, and there's a great chance that people on that list have used pam_radius_auth in the past. If you have any other questions related to where and why I post things, please take it in a private mail. ~j - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSH, PAM and pam_radius_auth
You have posted a question to the freeradius list and included a debug from - OpenSSH??? Don't you think that freeradius debug would be more helpful? Ivan Kalik Kalik Informatika ISP Dana 8/1/2008, Johan Rydberg [EMAIL PROTECTED] piše: I'm trying to get RADIUS authentication to work on one of our systems, but keep running into problems. For some reason it seems that the account system does not allow the user to login, and once the user has been authenticated, it drops the connection by not allowing sshd to establish credentials for the user. It seems that OpenSSH first tries to authetnicate the user with an empty password (), because if I set an empty password both in the local /etc/passwd, and on the RADIUS server, sshd is able to establish credentials for the user. Note that even with a non-empty password the authentication works, the daemon gets and OK from the radius server. There's a user with that given name in /etc/passwd. Anyone ideas about what could be wrong here? Here's the debug output from OpenSSH: debug1: userauth-request for user orbit-admin service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for orbit-admin debug1: PAM: setting PAM_RHOST to 192.168.99.111 debug1: PAM: setting PAM_TTY to ssh debug1: userauth_send_banner: sent debug1: PAM: password authentication failed for orbit-admin: Authentication failure Failed none for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: userauth-request for user orbit-admin service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=orbit-admin devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called debug1: PAM: num PAM env strings 0 Postponed keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called Accepted keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/ttyp1 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM: setting PAM_TTY to /dev/ttyp1 debug1: PAM: establishing credentials PAM: pam_setcred(): Authentication service cannot retrieve user credentials debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp1 My system-auth file: authsufficientpam_radius_auth.so debug authsufficientpam_unix.so likeauth nullok debug authrequired pam_deny.so account required pam_unix.so passwordsufficientpam_unix.so nullok use_authtok md5 passwordrequired pam_deny.so session required pam_unix.so Versions: pam_radius-1.3.17 openssh-4.5p1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: OpenSSH, PAM and pam_radius_auth
Hi Johan, Its good to hear that you reached up a level where Radius is working fine. But we are unable to break the jinx, and I am getting the following error when trying to telnet to the box. The installation and configuration of pam radius module went fine. Could you please help in this regards. Error we are getting Jan 8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Fai led looking up IP address for RADIUS server radius1 (errcode=12) Jan 8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Fai led looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Jan 8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: All RADIUS servers failed to respond. I dont see any other debug messages apart from the above msg available in the /var/adm/messages Thank you Regards Sobanbabu Bakthavathsalu From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Johan Rydberg [EMAIL PROTECTED] Sent: 08 January 2008 12:43 To: freeradius-users@lists.freeradius.org; [EMAIL PROTECTED] Subject: OpenSSH, PAM and pam_radius_auth I'm trying to get RADIUS authentication to work on one of our systems, but keep running into problems. For some reason it seems that the account system does not allow the user to login, and once the user has been authenticated, it drops the connection by not allowing sshd to establish credentials for the user. It seems that OpenSSH first tries to authetnicate the user with an empty password (), because if I set an empty password both in the local /etc/passwd, and on the RADIUS server, sshd is able to establish credentials for the user. Note that even with a non-empty password the authentication works, the daemon gets and OK from the radius server. There's a user with that given name in /etc/passwd. Anyone ideas about what could be wrong here? Here's the debug output from OpenSSH: debug1: userauth-request for user orbit-admin service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for orbit-admin debug1: PAM: setting PAM_RHOST to 192.168.99.111 debug1: PAM: setting PAM_TTY to ssh debug1: userauth_send_banner: sent debug1: PAM: password authentication failed for orbit-admin: Authentication failure Failed none for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: userauth-request for user orbit-admin service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=orbit-admin devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called debug1: PAM: num PAM env strings 0 Postponed keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called Accepted keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/ttyp1 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM: setting PAM_TTY to /dev/ttyp1 debug1: PAM: establishing credentials PAM: pam_setcred(): Authentication service cannot retrieve user credentials debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp1 My system-auth file: authsufficientpam_radius_auth.so debug authsufficientpam_unix.so likeauth nullok debug authrequired pam_deny.so account required pam_unix.so passwordsufficientpam_unix.so nullok use_authtok md5 passwordrequired pam_deny.so session required pam_unix.so Versions: pam_radius-1.3.17 openssh-4.5p1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail
Re: OpenSSH, PAM and pam_radius_auth
Johan Rydberg wrote: It seems that OpenSSH first tries to authetnicate the user with an empty password (), because if I set an empty password both in the local /etc/passwd, and on the RADIUS server, sshd is able to establish credentials for the user. PAM does weird things. OpenSSH does weird things. See bugs.freeradius.org. There a number of issues relating to the PAM module, including patches that may help here. I recall something related to try_first_pass. I haven't spent much time looking at PAM recently. All I recall from using it a few years ago is that I spent a LOT of time fighting with it, and had great difficulty trying to make it do anything. The complete and total lack of debugging information helped, too. PAM: pam_setcred(): Authentication service cannot retrieve user credentials That likely means that the user doesn't have a UID/GID/etc in /etc/passwd. The PAM RADIUS module doesn't set UID or GID. I tried to see if it was possible, and was told: a) No, it wasn't possible b) Yes, it was possible, and it was documented c) Yes, it was possible, but only the PAM authors knew how to make it work Getting conflicting answers from the same set of people made me unsubscribe from the PAM list. :( Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSH, PAM and pam_radius_auth
Sobanbabu Bakthavathsalu wrote: Hi Johan, Its good to hear that you reached up a level where Radius is working fine. But we are unable to break the jinx, and I am getting the following error when trying to telnet to the box. The installation and configuration of pam radius module went fine. Could you please help in this regards. Error we are getting Jan 8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Fai led looking up IP address for RADIUS server radius1 (errcode=12) So fix DNS so that it has a name to IP mapping for that host. Or, add that name to IP mapping into /etc/hosts. The module can't do anything if you tell it to use radius1 as a RADIUS server, and the don't tell it where radius1 is on the network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
variables with 2.0.0-beta
Hello Will this still expand with 2.0.0-beta ? %{config:client[%{Packet-Src-IP-Address}].shortname} I'm using 2.0.0-pre2 and it's working, but I am seeing some warnings with 2.0.0-beta about not being able to expand/find it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: variables with 2.0.0-beta
Duane Cox wrote: Hello Will this still expand with 2.0.0-beta ? %{config:client[%{Packet-Src-IP-Address}].shortname} I've just committed a fix that will expand the contents of %{config:...}. So if you still have an old-style client definition, it should now work. I'm using 2.0.0-pre2 and it's working, but I am seeing some warnings with 2.0.0-beta about not being able to expand/find it. In 2.0.0-beta, you can do: %{client:shortname}, which means the client that this request came from. It's much simpler than the above method. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap group membership required
Hello, I have search the archives and google, and there seems to be lots of confusion on the subject: Requiring membership to and LDAP group to authenticate. I can seem to get it to work. Notice the misspelling og the member: dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar cn: min_radius_wifi objectClass: groupOfNames objectClass: top member: cn=tes guest,ou=Guests,dc=fu,dc=bar The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to login. FreeRadius Version: freeradius-1.0.1 ldap { server = localhost identity = uid=authman,dc=fu,dc=bar password = XXX basedn = dc=fu,dc=bar filter = (uid=%{Stripped-User-Name:-%{User-Name}}) base_filter = (objectclass=person) # default_profile = cn=radprofile,ou=dialup,o=My Org,c=UA # profile_attribute = radiusProfileDn #` access_attr = uid # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_attribute = userPassword groupname_attribute = cn groupmembership_filter = (|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) groupmembership_attribute = cn=radius_wifi,ou=Group,dc=fu,dc=bar timeout = 4 timelimit = 3 net_timeout = 1 #compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = no } Thank you for the help, Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: variables with 2.0.0-beta
Duane Cox wrote: Thank you sir, and now the million dollar question, how soon until we see a -rc1 ? 2.0.0 should be released within days, if all goes well. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Make Digital Certificates in Radius
niel m wrote: but 1 thing is lacking, it is how to create a Digital Certificate for Radius both Server Certificate and Client Certificate. Kindly help me on this problem, I appreciate any help that you can offer in order for me to implement such system. Download CVS head (http://freeradius.org/development.html) and install it. Then read raddb/certs/README. It's all there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Make Digital Certificates in Radius
Hello Allan, Thanks for the help. Can you help me with the 2nd topic; Can you help me find how to generate/create self-sign digital certificate for Server and Client? What are the step-by-step commands that I can use? Thanks for all. Respectfully yours, Niel On Jan 9, 2008 11:07 AM, Alan DeKok [EMAIL PROTECTED] wrote: niel m wrote: but 1 thing is lacking, it is how to create a Digital Certificate for Radius both Server Certificate and Client Certificate. Kindly help me on this problem, I appreciate any help that you can offer in order for me to implement such system. Download CVS head (http://freeradius.org/development.html) and install it. Then read raddb/certs/README. It's all there. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap group membership required
Daniel Durgin wrote: I have search the archives and google, and there seems to be lots of confusion on the subject: Requiring membership to and LDAP group to authenticate. No. Authentication involves checking credentials. Authorization involves *additional* and *independent* filter rules specifying when and where people can authenticate. If you think of checking group membership as authentication, it means that you're conceptual model of how the system works is wrong. Hence designs of any solution will be wrong, and confusion will be multiplied. I can seem to get it to work. Notice the misspelling og the member: dn: cn=radius_wifi,ou=Groups,dc=fu,dc=bar cn: min_radius_wifi objectClass: groupOfNames objectClass: top member: cn=tes guest,ou=Guests,dc=fu,dc=bar The real user, cn=test guest,ou=Guests,dc=fu,dc=bar, is still able to login. So... read the debug output to see why. This is mentioned in no many places that there is NO excuse for not doing it. I also fail to understand why people look at the *configuration* to see how the server is *running*.It's like driving car while looking only at a map, and not at the road in front of you. If all goes well, it might work. But as soon as a pedestrian steps in front of your car, you fail to see him, and *boom*, bad things happen. FreeRadius Version: freeradius-1.0.1 Why? That version is *years* old. Alan DeKok - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Make Digital Certificates in Radius
niel m wrote: Can you help me with the 2nd topic; Can you help me find how to generate/create self-sign digital certificate for Server and Client? I take it you didn't read the README. What are the step-by-step commands that I can use? Perhaps you can try reading the README. Your questions are answered there. If you're not going to read the documentation I wrote in the README, I don't see why I should take more time to cut paste that from the README into an email message. I already wrote the documentation, and I already answered your question. Now, it's your turn to follow the documentation, and to run the commands it suggests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RPM install error.
His name I install freeradius-1.1.7-7.1.i386.rpm few days ago, When I try to install, upgrade or remove freeradius-1.1.7-7.1.i386.rpm get this error: /var/tmp/rpm-tmp.25681: line 1: fg: no job control error: %postun( freeradius-1.1.7-7.1.i386) scriptlet failed, exit status 1 I use Fedora Core 6 on Toshiba laptop. I try it with apt-get, but get previous error. Can you tell me why? -- Best Regards Rahmanian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Make Digital Certificates in Radius
Hello Sir Allan, I have already read the README file under this directory ( /etc/raddb/certs ) and this is the texts says This directory contains a number of sample certificates for use by the rlm_eap_tls module. These certificates should be used ONLY for testing purposes. If you're not using EAP-TLS, EAP-TTLS, or EAP-PEAP, then you may delete this entire directory. If you are using one or more of those authentication protocols, then the certificates included here should be replaced with ones signed by a real Certificate Authority. 2004-01-25 Respectfully yours, Niel On Jan 9, 2008 12:32 PM, Alan DeKok [EMAIL PROTECTED] wrote: niel m wrote: Can you help me with the 2nd topic; Can you help me find how to generate/create self-sign digital certificate for Server and Client? I take it you didn't read the README. What are the step-by-step commands that I can use? Perhaps you can try reading the README. Your questions are answered there. If you're not going to read the documentation I wrote in the README, I don't see why I should take more time to cut paste that from the README into an email message. I already wrote the documentation, and I already answered your question. Now, it's your turn to follow the documentation, and to run the commands it suggests. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to Make Digital Certificates in Radius
niel m wrote: I have already read the README file under this directory ( /etc/raddb/certs ) No. I said to grab the CVS head. The NEW version of that README contains additional information. You are looking at the OLD version of that README. Following PART of the instructions will get you PART of the solution. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html