RE: OpenSSH, PAM and pam_radius_auth
Hi Alan, So fix DNS so that it has a name to IP mapping for that host. Or, add that name to IP mapping into /etc/hosts. The module can't do anything if you tell it to use radius1 as a RADIUS server, and the don't tell it where radius1 is on the network. We have entry in the /etc/hosts file for radius1 server, but the pam_auth module is having issues in reading it. You have seen the error, even if we give the IP address, it tries to resolve it to IP again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: OpenSSH, PAM and pam_radius_auth
Hi Johan, Its good to hear that you reached up a level where Radius is working fine. But we are unable to break the jinx, and I am getting the following error when trying to telnet to the box. The installation and configuration of pam radius module went fine. Could you please help in this regards. Error we are getting Jan 8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Fai led looking up IP address for RADIUS server radius1 (errcode=12) Jan 8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Fai led looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Jan 8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: All RADIUS servers failed to respond. I dont see any other debug messages apart from the above msg available in the /var/adm/messages Thank you Regards Sobanbabu Bakthavathsalu From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Johan Rydberg [EMAIL PROTECTED] Sent: 08 January 2008 12:43 To: freeradius-users@lists.freeradius.org; [EMAIL PROTECTED] Subject: OpenSSH, PAM and pam_radius_auth I'm trying to get RADIUS authentication to work on one of our systems, but keep running into problems. For some reason it seems that the account system does not allow the user to login, and once the user has been authenticated, it drops the connection by not allowing sshd to establish credentials for the user. It seems that OpenSSH first tries to authetnicate the user with an empty password (), because if I set an empty password both in the local /etc/passwd, and on the RADIUS server, sshd is able to establish credentials for the user. Note that even with a non-empty password the authentication works, the daemon gets and OK from the radius server. There's a user with that given name in /etc/passwd. Anyone ideas about what could be wrong here? Here's the debug output from OpenSSH: debug1: userauth-request for user orbit-admin service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for orbit-admin debug1: PAM: setting PAM_RHOST to 192.168.99.111 debug1: PAM: setting PAM_TTY to ssh debug1: userauth_send_banner: sent debug1: PAM: password authentication failed for orbit-admin: Authentication failure Failed none for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: userauth-request for user orbit-admin service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=orbit-admin devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called debug1: PAM: num PAM env strings 0 Postponed keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called Accepted keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/ttyp1 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM: setting PAM_TTY to /dev/ttyp1 debug1: PAM: establishing credentials PAM: pam_setcred(): Authentication service cannot retrieve user credentials debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp1 My system-auth file: authsufficientpam_radius_auth.so debug authsufficientpam_unix.so likeauth nullok debug authrequired pam_deny.so account required pam_unix.so passwordsufficientpam_unix.so nullok use_authtok md5 passwordrequired pam_deny.so session required pam_unix.so Versions: pam_radius-1.3.17 openssh-4.5p1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail
RE: PAM_RADIUS_AUTH - Need help
Hi Alan, Any thought gone on this? Why is the plugin unable to resolve the IP address of the RADIUS server, or trying to resolve an IP to IP? Is that something related to compilation? Regards Soban From: Sobanbabu Bakthavathsalu Sent: 02 November 2007 11:59 To: FreeRadius users mailing list Subject: RE: PAM_RADIUS_AUTH Is this compatible with Solaris 10 First time I tried with IP address only, and got the following error. Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.69.133 (errcode=12) It was trying to resolve the IP address for an address again. Later I made a host entry and tried and the changed the config to name again. And getting the same error. Regards Soban From: Sobanbabu Bakthavathsalu Sent: 31 October 2007 10:46 To: FreeRadius users mailing list Subject: RE: PAM_RADIUS_AUTH Hi Alan, First time I tried with IP address only, and got the following error. Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.69.133 (errcode=12) It was trying to resolve the IP address for an address again. Later I made a host entry and tried and the changed the config to name again. And getting the same error. Regards Soban From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Alan DeKok [EMAIL PROTECTED] Sent: 30 October 2007 17:28 To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH Sobanbabu Bakthavathsalu wrote: Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. No. You *can* enter just an IP address... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH
Is this compatible with Solaris 10 First time I tried with IP address only, and got the following error. Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.69.133 (errcode=12) It was trying to resolve the IP address for an address again. Later I made a host entry and tried and the changed the config to name again. And getting the same error. Regards Soban From: Sobanbabu Bakthavathsalu Sent: 31 October 2007 10:46 To: FreeRadius users mailing list Subject: RE: PAM_RADIUS_AUTH Hi Alan, First time I tried with IP address only, and got the following error. Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.69.133 (errcode=12) It was trying to resolve the IP address for an address again. Later I made a host entry and tried and the changed the config to name again. And getting the same error. Regards Soban From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Alan DeKok [EMAIL PROTECTED] Sent: 30 October 2007 17:28 To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH Sobanbabu Bakthavathsalu wrote: Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. No. You *can* enter just an IP address... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH
Hi Alan, First time I tried with IP address only, and got the following error. Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.69.133 (errcode=12) It was trying to resolve the IP address for an address again. Later I made a host entry and tried and the changed the config to name again. And getting the same error. Regards Soban From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Alan DeKok [EMAIL PROTECTED] Sent: 30 October 2007 17:28 To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH Sobanbabu Bakthavathsalu wrote: Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. No. You *can* enter just an IP address... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM_RADIUS_AUTH
Hi I am trying install the PAM_RADIUS_AUTH on a Solaris 10 server to use RADIUS for user authentication. I have managed to successfully compile and install the pam plugin. When I tried to telnet to the machine from a different server I am getting the following error. Failed looking up IP address for RADIUS server radius1 (errcode=12) I have made a host entry for this server name in /etc/hosts file and able to ping the RADIUS server with name. But still its not working. Could you please help on resolving this. Regards Soban CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH
Hi Nick, Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. The server in question is not configured for any DNS server for name resolution, it uses the hosts file only. Hope this provides more information. Regards Soban From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Nick Owen [EMAIL PROTECTED] Sent: 30 October 2007 15:37 To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH On 10/30/07, Sobanbabu Bakthavathsalu [EMAIL PROTECTED] wrote: Hi I am trying install the PAM_RADIUS_AUTH on a Solaris 10 server to use RADIUS for user authentication. I have managed to successfully compile and install the pam plugin. When I tried to telnet to the machine from a different server I am getting the following error. Failed looking up IP address for RADIUS server radius1 (errcode=12) I have made a host entry for this server name in /etc/hosts file and able to ping the RADIUS server with name. But still its not working. Could you please help on resolving this. Lots of times this is a firewall issue where the port opening is set for tcp and not UDP. check that. Check that both are using port 1812, if that is what you are using. Have you edited your telnet pam entry? I'm not familiar with solaris, but that is what I would check. More info would be helpful too. HTH, Nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html