Re: Regarding pam_radius_auth to be integrated with busybox
Hi Arran, On one another board, still I am getting the same error. Still should I need to change any other thing? Regards, Deep On Tue, Oct 30, 2012 at 8:31 PM, Arran Cudbard-Bell a.cudba...@freeradius.org wrote: On 30 Oct 2012, at 14:13, Deep Shah deep.s...@strixsystems.com wrote: Sorry for inconvenience. I have enabled flag of mips in md5.c file of pam_radius_auth and my issue is resolved now. Ahhh. https://github.com/FreeRADIUS/pam_radius/commit/c61a218efb2a0ec4f493bcc9fa735306f779ea64 -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
On 9 Nov 2012, at 14:07, Deep Shah deep.s...@strixsystems.com wrote: Hi Arran, On one another board, still I am getting the same error. Still should I need to change any other thing? Apparently MIPS and SPARC CPU's have configurable endianess, so the __sparc and __mips checks are probably wrong. I know autoconf has a macro for this, probably should add an autoconf script and use that instead of the compiler definitions. could you remove: #elif defined(__sparc) || defined(__mips) #define HIGHFIRST in md5.c and check that this fixes the issue. -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
On Tue, Oct 30, 2012 at 12:42 PM, Deep Shah deep.s...@strixsystems.com wrote: Hi, Thank you for your reply. Here, radius server is at /usr/local/etc/raddb/ (which is on pc side) and I have configured and put my client which is at /etc/raddb/server. When I am getting pam_radius_auth: packet from RADIUS server 192.168.100.27 fails verification: The shared secret is probably incorrect. on my radius client. If you're not going to listen to suggestion then I wont bother answering your mail anymore. I just tested it on Ubuntu 12.04. The package is libpam-radius-auth, and (despite the comment in the config file), pam_radius_auth.conf must be in /etc. It works. Again, my advice is start with known good config, and work from there. If you decide to ignore that advice, it's your choice, but please stop wasting everyone's time. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
Sorry for inconvenience. I have enabled flag of mips in md5.c file of pam_radius_auth and my issue is resolved now. Regards, Deep On Tue, Oct 30, 2012 at 11:20 AM, Fajar A. Nugraha l...@fajar.net wrote: On Tue, Oct 30, 2012 at 12:42 PM, Deep Shah deep.s...@strixsystems.com wrote: Hi, Thank you for your reply. Here, radius server is at /usr/local/etc/raddb/ (which is on pc side) and I have configured and put my client which is at /etc/raddb/server. When I am getting pam_radius_auth: packet from RADIUS server 192.168.100.27 fails verification: The shared secret is probably incorrect. on my radius client. If you're not going to listen to suggestion then I wont bother answering your mail anymore. I just tested it on Ubuntu 12.04. The package is libpam-radius-auth, and (despite the comment in the config file), pam_radius_auth.conf must be in /etc. It works. Again, my advice is start with known good config, and work from there. If you decide to ignore that advice, it's your choice, but please stop wasting everyone's time. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
On 30 Oct 2012, at 14:13, Deep Shah deep.s...@strixsystems.com wrote: Sorry for inconvenience. I have enabled flag of mips in md5.c file of pam_radius_auth and my issue is resolved now. Ahhh. https://github.com/FreeRADIUS/pam_radius/commit/c61a218efb2a0ec4f493bcc9fa735306f779ea64 -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regarding pam_radius_auth to be integrated with busybox
Hi, I am trying to integrate linux-pam library and pam_radius_auth module to my busybox 1.17.3 version. I want to login through radius server on the host machine. I am using power pc as my board. I have configured the files of configuration as below. *client.conf* * (conf file)* client 192.168.100.26 { secret = testing123 } *user (conf file)* test Auth-Type := PAP, Cleartext-Password := testpass Reply-Message = Hello, %{User-Name}, you have successfully authenticated your login I am getting request on the server side but some error is coming on the server of password mismatch. Please find the below log for the same. rad_recv: Access-Request packet from host 192.168.100.26 port 2970, id=106, length=69 User-Name = test User-Password = C\2758\330E\345RZ\3707\227\001\265[\202H NAS-Identifier = login NAS-Port = 1945 NAS-Port-Type = Virtual Service-Type = Authenticate-Only # Executing section authorize from file /usr/local/etc/raddb//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 54 [files] expand: Hello, %{User-Name}, you have successfully authenticated your login - Hello, test, you have successfully authenticated your login ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! # Executing group from file /usr/local/etc/raddb//sites-enabled/default +- entering group PAP {...} [pap] login attempt with password C�8�E�RZ�7??�[?H [pap] Using clear text password testpass [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb//sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 106 to 192.168.100.26 port 2970 Reply-Message = Hello, test, you have successfully authenticated your login Waking up in 4.9 seconds. Cleaning up request 1 ID 106 with timestamp +37 Ready to process requests. Can you please suggest what might be the issue is? I am getting password as not readable string when I have used the correct password in radius client and radius server. Regards, Deep - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
Hi Alan, To give some more debug, the below print is what I am getting on client side. Can you please look in to it? pam_radius_auth: packet from RADIUS server 192.168.100.19 fails verification: The shared secret is probably incorrect. Regards, Deep On Mon, Oct 29, 2012 at 6:54 PM, Deep Shah deep.s...@strixsystems.comwrote: Hi, I am trying to integrate linux-pam library and pam_radius_auth module to my busybox 1.17.3 version. I want to login through radius server on the host machine. I am using power pc as my board. I have configured the files of configuration as below. *client.conf* * (conf file)* client 192.168.100.26 { secret = testing123 } *user (conf file)* test Auth-Type := PAP, Cleartext-Password := testpass Reply-Message = Hello, %{User-Name}, you have successfully authenticated your login I am getting request on the server side but some error is coming on the server of password mismatch. Please find the below log for the same. rad_recv: Access-Request packet from host 192.168.100.26 port 2970, id=106, length=69 User-Name = test User-Password = C\2758\330E\345RZ\3707\227\001\265[\202H NAS-Identifier = login NAS-Port = 1945 NAS-Port-Type = Virtual Service-Type = Authenticate-Only # Executing section authorize from file /usr/local/etc/raddb//sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = test, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry test at line 54 [files] expand: Hello, %{User-Name}, you have successfully authenticated your login - Hello, test, you have successfully authenticated your login ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! # Executing group from file /usr/local/etc/raddb//sites-enabled/default +- entering group PAP {...} [pap] login attempt with password C�8�E�RZ�7??�[?H [pap] Using clear text password testpass [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb//sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 106 to 192.168.100.26 port 2970 Reply-Message = Hello, test, you have successfully authenticated your login Waking up in 4.9 seconds. Cleaning up request 1 ID 106 with timestamp +37 Ready to process requests. Can you please suggest what might be the issue is? I am getting password as not readable string when I have used the correct password in radius client and radius server. Regards, Deep - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
On Tue, Oct 30, 2012 at 01:14:09AM +0530, Deep Shah wrote: pam_radius_auth: packet from RADIUS server 192.168.100.19 fails verification: The shared secret is probably incorrect. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Can you please suggest what might be the issue is? I am getting password Please read the debug output. It's telling you the answer. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
On Tue, Oct 30, 2012 at 5:24 AM, Matthew Newton m...@leicester.ac.uk wrote: On Tue, Oct 30, 2012 at 01:14:09AM +0530, Deep Shah wrote: pam_radius_auth: packet from RADIUS server 192.168.100.19 fails verification: The shared secret is probably incorrect. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Can you please suggest what might be the issue is? I am getting password Please read the debug output. It's telling you the answer. Correct. @Deep: There should be pam_radius_auth.conf somewhere where you can specify the shared secret on the NAS (i.e. pam_radius_auth) side. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
Hi Fajar and Mathhew, Thank you so much for your reply. I have checked several times that both the keys from pam_radius_auth.conf and my radius server are same. But then also I am getting these prints. Please find below my pam_radius_auth.conf file snap shot. # pam_radius_auth configuration file. Copy to: /etc/raddb/server # # The timeout field controls how many seconds the module waits before # deciding that the server has failed to respond. # # server[:port]shared_secret timeout (s) #127.0.0.1secret 1 #other-serverother-secret 3 127.0.0.1secret 1 192.168.100.27testing1232 other-serverother-secret 3 # # having localhost in your radius configuration is a Good Thing. # # See the INSTALL file for pam.conf hints. Please find below my client.conf file snap shot which is taken from server side. My client IP is 192.168.100.18 and my server IP is 192.168.100.27. client 192.168.100.18 { secret = testing123 } Can you please let me know which configuration is wrong if there is any? Thank you very much for your help in advance. Regards, Deep On Tue, Oct 30, 2012 at 7:28 AM, Fajar A. Nugraha l...@fajar.net wrote: On Tue, Oct 30, 2012 at 5:24 AM, Matthew Newton m...@leicester.ac.uk wrote: On Tue, Oct 30, 2012 at 01:14:09AM +0530, Deep Shah wrote: pam_radius_auth: packet from RADIUS server 192.168.100.19 fails verification: The shared secret is probably incorrect. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Can you please suggest what might be the issue is? I am getting password Please read the debug output. It's telling you the answer. Correct. @Deep: There should be pam_radius_auth.conf somewhere where you can specify the shared secret on the NAS (i.e. pam_radius_auth) side. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
On Tue, Oct 30, 2012 at 12:14 PM, Deep Shah deep.s...@strixsystems.com wrote: Please find below my pam_radius_auth.conf file snap shot. # pam_radius_auth configuration file. Copy to: /etc/raddb/server Is it in the correct place? Since your earlier logs says /usr/local/etc/raddb, you might also try copying the file there, just in case. Please find below my client.conf file snap shot which is taken from server side. My client IP is 192.168.100.18 and my server IP is 192.168.100.27. That's not what you said in your earlier post Can you please let me know which configuration is wrong if there is any? Not sure. For this I'd actually suggest you start with known good working config. Either RHEL/Centos or Ubuntu/Debian is usually a good place to start. IIRC last time I tested this with RHEL it works just fine. Assuming you configure it correctly (hint: read the READMEs and docs that comes with the source/package). After you at least got THAT to work, then start working on your busybox-thingy. Just in case it's busybox-specific bug, in which case you should probably ask the devs there. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
Hi, Thank you for your reply. Here, radius server is at /usr/local/etc/raddb/ (which is on pc side) and I have configured and put my client which is at /etc/raddb/server. When I am getting pam_radius_auth: packet from RADIUS server 192.168.100.27 fails verification: The shared secret is probably incorrect. on my radius client. I am getting below error message on my client. !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! # Executing group from file /usr/local/etc/raddb//sites-enabled/default +- entering group PAP {...} [pap] login attempt with password ?U��?R�S4?H�0+R� [pap] Using clear text password test [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject Regards, Deep On Tue, Oct 30, 2012 at 10:58 AM, Fajar A. Nugraha l...@fajar.net wrote: On Tue, Oct 30, 2012 at 12:14 PM, Deep Shah deep.s...@strixsystems.com wrote: Please find below my pam_radius_auth.conf file snap shot. # pam_radius_auth configuration file. Copy to: /etc/raddb/server Is it in the correct place? Since your earlier logs says /usr/local/etc/raddb, you might also try copying the file there, just in case. Please find below my client.conf file snap shot which is taken from server side. My client IP is 192.168.100.18 and my server IP is 192.168.100.27. That's not what you said in your earlier post Can you please let me know which configuration is wrong if there is any? Not sure. For this I'd actually suggest you start with known good working config. Either RHEL/Centos or Ubuntu/Debian is usually a good place to start. IIRC last time I tested this with RHEL it works just fine. Assuming you configure it correctly (hint: read the READMEs and docs that comes with the source/package). After you at least got THAT to work, then start working on your busybox-thingy. Just in case it's busybox-specific bug, in which case you should probably ask the devs there. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding pam_radius_auth to be integrated with busybox
Hi, Thank you for your reply. Here, radius server is at /usr/local/etc/raddb/ (which is on pc side) and I have configured and put my client which is at /etc/raddb/server. When I am getting pam_radius_auth: packet from RADIUS server 192.168.100.27 fails verification: The shared secret is probably incorrect. on my radius client. I am getting below error message on my server(written client here by mistake in previous email). !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! # Executing group from file /usr/local/etc/raddb//sites-enabled/default +- entering group PAP {...} [pap] login attempt with password ?U��?R�S4?H�0+R� [pap] Using clear text password test [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject Regards, Deep Regards, Deep On Tue, Oct 30, 2012 at 10:58 AM, Fajar A. Nugraha l...@fajar.net wrote: On Tue, Oct 30, 2012 at 12:14 PM, Deep Shah deep.s...@strixsystems.com wrote: Please find below my pam_radius_auth.conf file snap shot. # pam_radius_auth configuration file. Copy to: /etc/raddb/server Is it in the correct place? Since your earlier logs says /usr/local/etc/raddb, you might also try copying the file there, just in case. Please find below my client.conf file snap shot which is taken from server side. My client IP is 192.168.100.18 and my server IP is 192.168.100.27. That's not what you said in your earlier post Can you please let me know which configuration is wrong if there is any? Not sure. For this I'd actually suggest you start with known good working config. Either RHEL/Centos or Ubuntu/Debian is usually a good place to start. IIRC last time I tested this with RHEL it works just fine. Assuming you configure it correctly (hint: read the READMEs and docs that comes with the source/package). After you at least got THAT to work, then start working on your busybox-thingy. Just in case it's busybox-specific bug, in which case you should probably ask the devs there. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth x86_64 password garbled RHEL/CENTOS 5.8
Hi Folks, I'm compiling my pam_radius_auth on x86_64 source and getting the following in my logs: Mar 14 12:57:29 app2 sshd[12858]: pam_radius_auth: Got user name jmaltin@ip_removed_by_poster Mar 14 12:57:29 app2 sshd[12858]: pam_radius_auth: Sending RADIUS request code 1 Mar 14 12:57:29 app2 sshd[12858]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1005286112. Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: RADIUS server 127.0.0.1 failed to respond Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: DEBUG: get_ipaddr(Add) returned 0. Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Failed looking up IP address for RADIUS server Add (errcode=9) Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1005286112. Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Got RADIUS response code 3 Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: authentication failed Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Got user name jmaltin@removed_by_poster Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Got password ^M^?INCORRECT Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Sending RADIUS request code 1 Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1005286112. Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: RADIUS server 127.0.0.1 failed to respond Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: DEBUG: get_ipaddr(Add) returned 0. Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: Failed looking up IP address for RADIUS server Add (errcode=9) Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1005286112. Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: Got RADIUS response code 3 Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: authentication failed Mar 14 12:57:31 app2 sshd[12858]: Failed password for invalid user jmal...@voxel.net from ip_removed_by_poster port 44398 ssh2 What's the magic way to compile this for x86_64? Notice I added the -m64 to try to force 64 bit. [root@app2 pam_radius-1.3.17]# make cc -Wall -fPIC -m64 -c pam_radius_auth.c -o pam_radius_auth.o pam_radius_auth.c: In function ‘talk_radius’: pam_radius_auth.c:886: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness pam_radius_auth.c: In function ‘pam_sm_authenticate’: pam_radius_auth.c:1102: warning: assignment from incompatible pointer type cc -Wall -fPIC -m64 -c -o md5.o md5.c ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so [root@app2 pam_radius-1.3.17]# Thanks folks! -- Judd Maltin T: 917-882-1270 F: 501-694-7809 A loving heart is never wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth x86_64 password garbled RHEL/CENTOS 5.8
Judd Maltin wrote: I'm compiling my pam_radius_auth on x86_64 source and getting the following in my logs: ... Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Got password ^M^?INCORRECT Another PAM module is butchering the password, before it is sent to pam_radius_auth. Go fix that. What's the magic way to compile this for x86_64? Nothing. This isn't a 64-bit issue. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth x86_64 password garbled RHEL/CENTOS 5.8
On Wed, Mar 14, 2012 at 2:24 PM, Alan DeKok al...@deployingradius.com wrote: Judd Maltin wrote: I'm compiling my pam_radius_auth on x86_64 source and getting the following in my logs: ... Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Got password ^M^?INCORRECT Another PAM module is butchering the password, before it is sent to pam_radius_auth. Go fix that. Fixed, thanks. nss_ldap wasn't finding my users to satisfy PAM account What's the magic way to compile this for x86_64? Nothing. This isn't a 64-bit issue. Thanks again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Judd Maltin T: 917-882-1270 F: 501-694-7809 A loving heart is never wrong. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-ID not sent by pam_radius_auth.
Hi Guys, I'd like to recall this because now I also met this problem. I also need add Calling-Station-Id to accounting request But I can't find how the account part in pam radius source code. Can anyone help to figure it out and tell me which codes I need added in? hope hearing from you asap. very appreciate for any of your help BR, allen -- View this message in context: http://freeradius.1045715.n5.nabble.com/Calling-Station-ID-not-sent-by-pam-radius-auth-tp2741060p4424120.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-ID not sent by pam_radius_auth.
lth0721 wrote: I'd like to recall this because now I also met this problem. I also need add Calling-Station-Id to accounting request But I can't find how the account part in pam radius source code. Can anyone help to figure it out and tell me which codes I need added in? That's a question for the PAM list. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth query
vijay s sheelavantar wrote: 1. does pam_radius_auth.so support authorization of user accounts? What does that mean? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth query
Hi,Please clarify my doubts. 1. does pam_radius_auth.so support authorization of user accounts?nbsp;2. If Yes how can we achieve it? what configurations need to be done. Now pam_radius_auth.c sends authentication requests with the valuenbsp;PW_AUTHENTICATE_ONLY. what value i need to send? and what configuration I have to make at server side to implement authorization. I am using pam_radius_auth.so for authentication and it is working fine. At the free radius server side nbsp;I am authenticating users using /etc/password nbsp;file as database.(I have enabled unix option in default file authorization section.) Thanks and Regards, VIJAY S.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Core with 64Bit pam_radius_auth on Solaris 9
Peter Lambrechtsen wrote: Interestingly it seems to have come down to how UINT4 was defined. Changing in the radius.h UINT4 from being a unsigned long to a unit32_t seemed to have sorted the problem: OK. That change should have been made long ago. Any system which doesn't have uint32_t is 6-7 years old, and not worth supporting in the mainstream release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Core with 64Bit pam_radius_auth on Solaris 9
Peter Lambrechtsen wrote: It seems around like 734 in pam_radius_auth.c: if ((hp = gethostbyname(hostname)) == (struct hostent *) NULL) { ipaddr = 0x;/* no client IP address */ } else { ipaddr = ntohl(*(UINT4 *) hp-h_addr); /* use the first one available */ } That gethostbyname returns an h_addr IP address of 0.0.0.1 on our solaris box when running in 64Bit, but not in 32Bit. The box has IPV6 fully disabled so we are not sure why it's doing that. Ah... 0.0.0.1 is ::1 in IPv6. OK, the module *should* check the h_addrtype field. It's not doing that right now. Otherwise we many to using gethostbyname_r rather than gethostbyname and get it working that way I'll submit a patch. And use the get_ipaddr function at line 242 only once rather than having two seprate places where gethostbyname is called to return an IP Address OK, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Core with 64Bit pam_radius_auth on Solaris 9
Interestingly it seems to have come down to how UINT4 was defined. Changing in the radius.h UINT4 from being a unsigned long to a unit32_t seemed to have sorted the problem: ---Begin Patch --- radius.h.orig Fri Sep 24 15:17:05 2010 +++ radius.hWed Sep 29 10:56:36 2010 @@ -36,7 +36,7 @@ #define AUTH_STRING_LEN128 /* maximum of 254 */ #ifndef UINT4 -typedef unsigned long UINT4; +typedef uint32_t UINT4; #endif typedef struct pw_auth_hdr { ---End Patch That has seemed to sort the problem. On Tue, Sep 28, 2010 at 8:31 PM, Alan DeKok al...@deployingradius.comwrote: Peter Lambrechtsen wrote: It seems around like 734 in pam_radius_auth.c: if ((hp = gethostbyname(hostname)) == (struct hostent *) NULL) { ipaddr = 0x;/* no client IP address */ } else { ipaddr = ntohl(*(UINT4 *) hp-h_addr); /* use the first one available */ } That gethostbyname returns an h_addr IP address of 0.0.0.1 on our solaris box when running in 64Bit, but not in 32Bit. The box has IPV6 fully disabled so we are not sure why it's doing that. Ah... 0.0.0.1 is ::1 in IPv6. OK, the module *should* check the h_addrtype field. It's not doing that right now. Otherwise we many to using gethostbyname_r rather than gethostbyname and get it working that way I'll submit a patch. And use the get_ipaddr function at line 242 only once rather than having two seprate places where gethostbyname is called to return an IP Address OK, thanks. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Core with 64Bit pam_radius_auth on Solaris 9
Peter Lambrechtsen wrote: Hello I've managed to compile pam_radius-1.3.17 both 32Bit and 64Bit. I had to add -lsocket as part of linking to get it to work and modified the make file to have -m64 to compile on 64bit When I compile it for 64Bit this is my make output: ... But when I try and use the 64Bit version of pamtester it core dumps. Well... gdb should help to track it down. Any suggestions on what to do with gdb or to debug this problem?? $ gdb --args ./pamtester jpam peter authenticate (gdb) run (gdb) bt I've seen a number of posts such as this one: http://networking.itags.org/networking-tech/58575/ Talking about changing the typedef for md5.h -#define uint32 u_int32_t +#define uint32 uint32_t However 1.3.17 already seems to have this patch. struct MD5Context { uint32_t buf[4]; uint32_t bits[2]; unsigned char in[64]; }; I'm no C developer so not sure where to go to from here. I don't have a 64-bit Solaris machine, so I can't help much. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Core with 64Bit pam_radius_auth on Solaris 9
On Wed, Sep 22, 2010 at 6:06 PM, Alan DeKok al...@deployingradius.comwrote: Any suggestions on what to do with gdb or to debug this problem?? $ gdb --args ./pamtester jpam peter authenticate (gdb) run (gdb) bt This is what I get back: (gdb) run Starting program: /usr/local/bin/sparcv9/pamtester jpam peter authenticate procfs:4337 -- process not stopped. procfs: ...giving up... (gdb) bt procfs: couldn't find pid 7326 (kernel thread 1) in procinfo list. procfs: couldn't find pid 7326 (kernel thread 1) in procinfo list. If I try it on the 32bit version I get: (gdb) run Starting program: /usr/local/bin/pamtester jpam peter authenticate (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) (no debugging symbols found) Password: pamtester: successfully authenticated Program exited normally. (gdb) quit I'm no C developer so not sure where to go to from here. I don't have a 64-bit Solaris machine, so I can't help much. Pretty much all sparc machines have been 64Bit for a very long time, so if you have a sparc machine it's probably 64bit just need to add the -m64 on the complier switches. I can also sort out remote access into a machine. Just e-mail me directly. Cheers for the response. Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Core with 64Bit pam_radius_auth on Solaris 9
Peter Lambrechtsen wrote: This is what I get back: (gdb) run Starting program: /usr/local/bin/sparcv9/pamtester jpam peter authenticate procfs:4337 -- process not stopped. procfs: ...giving up... (gdb) bt procfs: couldn't find pid 7326 (kernel thread 1) in procinfo list. procfs: couldn't find pid 7326 (kernel thread 1) in procinfo list. Well... that's an issue for Solaris gdb documentation, unfortunately. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Core with 64Bit pam_radius_auth on Solaris 9
On Wed, Sep 22, 2010 at 9:55 PM, Alan DeKok al...@deployingradius.comwrote: Peter Lambrechtsen wrote: This is what I get back: (gdb) run Starting program: /usr/local/bin/sparcv9/pamtester jpam peter authenticate procfs:4337 -- process not stopped. procfs: ...giving up... (gdb) bt procfs: couldn't find pid 7326 (kernel thread 1) in procinfo list. procfs: couldn't find pid 7326 (kernel thread 1) in procinfo list. Well... that's an issue for Solaris gdb documentation, unfortunately. Yes, it seems to be an odd quirk when compiling code on Solaris 9, and running it on Solaris 10. I was hoping to have a module that would work on both, but that is looking less likely. I've got PADL pam_ldap working fine compiled on 9 and working on 10 for both 32Bit and 64Bit. So I am trying to figure out what gcc and / or ld switch is missing that is causing it to not work. Otherwise I will just install gcc on the box and recompile on solaris 10. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Core with 64Bit pam_radius_auth on Solaris 9
Hello I've managed to compile pam_radius-1.3.17 both 32Bit and 64Bit. I had to add -lsocket as part of linking to get it to work and modified the make file to have -m64 to compile on 64bit When I compile it for 64Bit this is my make output: gcc -Wall -fPIC -m64 -c pam_radius_auth.c -o pam_radius_auth.o pam_radius_auth.c: In function `ipstr2long': pam_radius_auth.c:185: warning: subscript has type `char' pam_radius_auth.c: In function `good_ipaddr': pam_radius_auth.c:221: warning: subscript has type `char' pam_radius_auth.c: In function `host2server': pam_radius_auth.c:277: warning: subscript has type `char' pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1027: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1030: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1081: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1097: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1102: warning: assignment from incompatible pointer type pam_radius_auth.c:1121: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1135: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1168: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_private_session': pam_radius_auth.c:1300: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1321: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1407: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1428: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1437: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1442: warning: passing arg 3 of `pam_get_item' from incompatible pointer type gcc -Wall -fPIC -m64 -m64 -I/usr/local/include -R/usr/local/lib/sparcv9 -c md5.c gcc -R/usr/local/lib/sparcv9 -m64 -shared pam_radius_auth.o md5.o -lpam -lsocket -lc -o pam_radius_auth.so Which is all well and good. But when I try and use the 64Bit version of pamtester it core dumps. The 32Bit version compiles fine, and 32bit version of pamtester also works fine. ./pamtester jpam peter authenticate Password: Bus Error (core dumped) In /var/adm/messages I get: Sep 22 13:51:46 sf2428 genunix: [ID 603404 kern.notice] NOTICE: core_log: pamtester[13662] core dumped: /var/core/core_sol9_pamtester_0_0_1285120305_13662 Any suggestions on what to do with gdb or to debug this problem?? I've seen a number of posts such as this one: http://networking.itags.org/networking-tech/58575/ Talking about changing the typedef for md5.h -#define uint32 u_int32_t +#define uint32 uint32_t However 1.3.17 already seems to have this patch. struct MD5Context { uint32_t buf[4]; uint32_t bits[2]; unsigned char in[64]; }; I'm no C developer so not sure where to go to from here. Any suggestions would be gratefully accepted. Cheers Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up pam_radius_auth
Mike J wrote: I've fixed the x86 module (was using a wrong client config file). So I have x86 working but don't have the ppc module working. .. Is this likely the cause of my issue? Yes. Figure out how to build the MD5 code with the correct endian definitions. Don't be afraid to hard-code the definition in the source. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up pam_radius_auth
On Fri, Aug 6, 2010 at 12:39 AM, Alan DeKok al...@deployingradius.comwrote: Mike J wrote: I've fixed the x86 module (was using a wrong client config file). So I have x86 working but don't have the ppc module working. .. Is this likely the cause of my issue? Yes. Figure out how to build the MD5 code with the correct endian definitions. Don't be afraid to hard-code the definition in the source. That seemed to work. In case others are interested: in 1.3.17 you have to define HIGHFIRST if you are compiling for a big endian arch (ppc in my case). I added -DHIGHFIRST to CFLAGS in the makefile, rather than hard-code it in md5.c. Alan, thanks for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up pam_radius_auth
On Tue, Jul 27, 2010 at 1:22 AM, Alan DeKok al...@deployingradius.comwrote: Mike J wrote: It is a PPC module. However, since I was having problems with it I decided to install the PAM module for my x86 workstation (from the Ubuntu Hardy repository). I'm getting the same results. The client/server talk to each other but the password doesn't seem to be decrypted when the auth request gets to the server. Then the shared secret is wrong. The debug log shows this. Go fix the shared secret. I've already checked the shared secret. Even though the log message says the shared secret is probably wrong, it isn't. I've fixed the x86 module (was using a wrong client config file). So I have x86 working but don't have the ppc module working. I've also double checked how I was building the PPC PAM module. I'm using the provided makefile and setting up the compiler and linker to use the proper ppc build tools. Any ideas of where I could be going wrong when compiling it? Endian issues. It's buried in the source... Is this likely the cause of my issue? By the way, this is the entry in the top of my users file on my RADIUS server: testing Cleartext-Password := password Is the Cleartext-Password option okay with for authenticating PAM clients? Yes. The RADIUS server looks at the contents of the packet, *not* the source code of the client. Thanks for clarifying that. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up pam_radius_auth
Mike J wrote: It is a PPC module. However, since I was having problems with it I decided to install the PAM module for my x86 workstation (from the Ubuntu Hardy repository). I'm getting the same results. The client/server talk to each other but the password doesn't seem to be decrypted when the auth request gets to the server. Then the shared secret is wrong. The debug log shows this. Go fix the shared secret. I've also double checked how I was building the PPC PAM module. I'm using the provided makefile and setting up the compiler and linker to use the proper ppc build tools. Any ideas of where I could be going wrong when compiling it? Endian issues. It's buried in the source... By the way, this is the entry in the top of my users file on my RADIUS server: testing Cleartext-Password := password Is the Cleartext-Password option okay with for authenticating PAM clients? Yes. The RADIUS server looks at the contents of the packet, *not* the source code of the client. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up pam_radius_auth
On Fri, Jul 23, 2010 at 4:54 AM, Alan DeKok al...@deployingradius.comwrote: Mike J wrote: Now obviously is says there's a problem with the secret, but I believe I've setup the secret correctly in the configs I've shown above. Does anybody have any ideas what I'm doing wrong? Either the password is incorrect, or the MD5 calculations on the PAM or server side are broken. If this is a PPC system, the PAM module might not have been built correctly. You could also try install radclient on the same system as the PAM module. If radclient works and PAM doesn't, then the PAM module wasn't built correctly. See the pam_radius_auth.c file for how to build it. Alan DeKok. Thanks Alan. It is a PPC module. However, since I was having problems with it I decided to install the PAM module for my x86 workstation (from the Ubuntu Hardy repository). I'm getting the same results. The client/server talk to each other but the password doesn't seem to be decrypted when the auth request gets to the server. This is why I was thinking maybe I've mis-configured my test server. I've also double checked how I was building the PPC PAM module. I'm using the provided makefile and setting up the compiler and linker to use the proper ppc build tools. Any ideas of where I could be going wrong when compiling it? By the way, this is the entry in the top of my users file on my RADIUS server: testing Cleartext-Password := password Is the Cleartext-Password option okay with for authenticating PAM clients? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Setting up pam_radius_auth
Mike J wrote: Now obviously is says there's a problem with the secret, but I believe I've setup the secret correctly in the configs I've shown above. Does anybody have any ideas what I'm doing wrong? Either the password is incorrect, or the MD5 calculations on the PAM or server side are broken. If this is a PPC system, the PAM module might not have been built correctly. You could also try install radclient on the same system as the PAM module. If radclient works and PAM doesn't, then the PAM module wasn't built correctly. See the pam_radius_auth.c file for how to build it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Setting up pam_radius_auth
Hi, I'm trying to get the the pam radius module to work. I've built a test radius server (FreeRADIUS Version 2.1.9) and I've setup a linux box with the pam radius module (1.3.17) The server seems to be setup properly to authenticate users: # radtest testing password 127.0.0.1 0 testing123 Sending Access-Request of id 87 to 127.0.0.1 port 1812 User-Name = testing User-Password = password NAS-IP-Address = 127.0.1.1 NAS-Port = 0 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=87, length=20 I have the following config on the server to correspond to my pam radius client: clients.conf: client testclient1 { ipaddr = CLIENTIP secret = testing123 require_message_authenticator = no shortname = testc1 nastype = other # localhost isn't usually a NAS... } And on the client (using pam_radius_auth) I have the following in /etc/raddb/server: # server[:port]shared_secret timeout (s) SERVERIP testing123 4 Now, when I try to authenticate my pam radius client, I get this in the client logs: Jul 22 10:22:45 (none) pamtest: pam_radius_auth: Got user name testing Jul 22 10:22:54 (none) pamtest: pam_radius_auth: Sending RADIUS request code 1 Jul 22 10:22:54 (none) pamtest: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 267885588. Jul 22 10:22:55 (none) pamtest: pam_radius_auth: packet from RADIUS server SERVERIP fails verification: The shared secret is probably incorrect. Jul 22 10:22:55 (none) pamtest: pam_radius_auth: All RADIUS servers failed to respond. Jul 22 10:22:55 (none) pamtest: pam_radius_auth: authentication failed And I get this on the radius server (running in debug mode, i.e. radiusd -X) rad_recv: Access-Request packet from host CLIENTIP port 18580, id=32, length=72 User-Name = testing User-Password = \237TqI\3335Q\231\025O\020bw\021;\362 NAS-Identifier = other NAS-Port = 17555 NAS-Port-Type = Virtual Service-Type = Authenticate-Only +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = testing, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound [files] users: Matched entry testing at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns updated Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password ?TqI�5Q??O?bw?; [pap] Using clear text password password [pap] Passwords don't match ++[pap] returns reject Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - testing attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 32 to CLIENTIP port 18580 Waking up in 4.9 seconds. Cleaning up request 0 ID 32 with timestamp +24 Ready to process requests. Now obviously is says there's a problem with the secret, but I believe I've setup the secret correctly in the configs I've shown above. Does anybody have any ideas what I'm doing wrong? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Warning compiling pam_radius_auth on Solaris 10 x86 with gcc 3.4.3
Hello, I planning on testing pam_radius_auth under Solaris 10 at a client site. I've copied below the output I get which contains a certain amount of warnings. I do get the library .so produced, so can these warning be ignored safely ? Thanks for any pointers/advice. Martin 8-- $ gmake clean $ gmake /usr/sfw/bin/gcc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1027: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1030: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1081: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1097: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1102: warning: assignment from incompatible pointer type pam_radius_auth.c:1121: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1135: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1168: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_private_session': pam_radius_auth.c:1300: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1321: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1407: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1428: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1437: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1442: warning: passing arg 3 of `pam_get_item' from incompatible pointer type /usr/sfw/bin/gcc -Wall -fPIC -c -o md5.o md5.c /usr/sfw/bin/gld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so $ file pam_radius_auth.so pam_radius_auth.so: ELF 32-bit LSB dynamic lib 80386 Version 1, dynamically linked, not stripped, no debugging information available $ uname -a SunOS X 5.10 Generic_137138-09 i86pc i386 i86pc $ gcc --version gcc (GCC) 3.4.3 (csl-sol210-3_4-branch+sol_rpath) Copyright (C) 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. $ -8-- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Warning compiling pam_radius_auth on Solaris 10 x86 with gcc 3.4.3
Martin Richard wrote: Hello, I planning on testing pam_radius_auth under Solaris 10 at a client site. I've copied below the output I get which contains a certain amount of warnings. I do get the library .so produced, so can these warning be ignored safely ? They are warnings, not errors. They can be ignored. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth for big endian
I try to authenticate on sshd through pam by the pam_radius_auth, my platform is based on PowerPc(big endian). After changes in md5 file i accepted authentication is ok on the radius server, but my side of sshd is failed( i don't succeed to accept the session when i try to connect to sshd ) with log error of password or shared secret is wrong.Any suggestions to solve this problem? Thanks, Maxim 2009/7/7 freeradius-users-requ...@lists.freeradius.org Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org -- Message: 5 Date: Tue, 07 Jul 2009 16:57:31 +0200 From: Alan DeKok al...@deployingradius.com Subject: Re: pam_radius_auth for big endian To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: 4a53625b.2040...@deployingradius.com Content-Type: text/plain; charset=UTF-8 maxim maxim wrote: How i can to fix pam_radius_auth for big endian platform? The module works (or should) on big endian systems. See md5.c for sparc/mips configuration. Alan DeKok. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth for big endian
How i can to fix pam_radius_auth for big endian platform? Thanks, Max - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth for big endian
maxim maxim wrote: How i can to fix pam_radius_auth for big endian platform? The module works (or should) on big endian systems. See md5.c for sparc/mips configuration. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth configuration options
Hi list, I browsed quite a long time all previous threads and various material available on the web, with no success. So maybe someone can help wit this... I am using the latest available release of FreeRADIUS on my Linux server (RHEL 5.3, x86_64), with authentication against local users file. This works like a charm so far. Authentication is set up in this order: pam_radius_auto.so, then pam_unix.so. Is there a way to configure the pam_radius_auto.so module so that as long as the FreeRADIUS daemon is up and running, authentications will be *only* performed against FreeRADIUS, and all other authentication methods are ignored (even if this account exists locally, not in FreeRADIUS)? Of course, if FreeRADIUS is stopped or does not respond anymore, authentication against regular Linux files would work. I am only looking to make it work for the login process (local ttys). This is an example of my /etc/pam.d/login file: --snip-- #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth [success=done new_authtok_reqd=done authinfo_unavail=ignore ignore=ignore default=die] pam_radius_auth.so ruser debug auth required pam_unix.so use_first_pass #auth include system-auth account required pam_nologin.so #account required pam_radius_auth.so #account include system-auth --snip-- I also tried with the localifdown keyword: --snip-- auth [success=done new_authtok_reqd=done ignore=ignore default=die] pam_radius_auth.so localifdown ruser debug --snip-- without success... Let's suppose I have a centralized account remote-admin, and FreeRADIUS is the only one to know its password. Now I have another account, local-admin, that is not declared within /etc/raddb/users file, but only in local /etc/passwd and /etc/shadow. With the first example, when FreeRADIUS is up, I can log in as remote-admin, and the logs shows that pam_radius_auth got clearance from radiusd. I can also log in as local-admin, no matter if radiusd is up or not (the logs show that radiusd failed to respond, but that pam_unix accepted the credentials and then granted login). Thanks for your clues. Regards, Frank Créez votre adresse électronique prenom@laposte.net 1 Go d'espace de stockage, anti-spam et anti-virus intégrés. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth v1.3.17 missing a define???
Alan DeKok-2 wrote: David Ly wrote: I've been looking into the source code of pam radius, due to authentication failure without a entry in the local /etc/passwd file, That's the PAM value add... Could you explain what PAM value add means/is? Alan DeKok-2 wrote: You haven't said which OS this is on. There *is* more than one implementation of PAM. And IIRC, that requirement wasn't there when the module was originally written. I'm using Linux 2.6.27-7-generic (on ubuntu 8.10) Alan DeKok-2 wrote: Fix the Makefile to reference the correct libraries with this function. That worked. Thanks. (make file required some editing, because of gcc i think) -- View this message in context: http://www.nabble.com/pam_radius_auth-v1.3.17-missing-a-definetp20629756p20689780.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth v1.3.17 missing a define???
David Ly wrote: I've been looking into the source code of pam radius, due to authentication failure without a entry in the local /etc/passwd file, That's the PAM value add... and i've noticed that; /|'PAM_SM_ACCOUNT|/ must be *#define*'d prior to including |security/pam_modules.h|.' isn't being done. You haven't said which OS this is on. There *is* more than one implementation of PAM. And IIRC, that requirement wasn't there when the module was originally written. Was this done on purpose? Could this possibly be factor in my problem. I would test it out, however I am unable to build the library on my machine. A fresh downloaded make gives me Nov 21 15:20:52 wisdur sshd[21221]: PAM unable to dlopen(/lib/security/pam_radius_auth.so): /lib/security/pam_radius_auth.so: undefined symbol: __stack_chk_fail_local The compiler on your OS is adding extra magic to the compiled module. Either fix that so it's just a compiler, or fix the Makefile to reference the correct libraries with this function. Either way, the module works on other systems. So the module isn't broken. (Just a side note, Does anyone knows why I get these errors when trying to build.) ggc -v --- gcc version 4.1.1 sigh The messages clearly say WARNING, not ERROR. And the compiler warnings have been extended significantly since the module was originally written. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth v1.3.17 missing a define???
Hi, I've been looking into the source code of pam radius, due to authentication failure without a entry in the local /etc/passwd file, and i've noticed that; /|'PAM_SM_ACCOUNT|/ must be *#define*'d prior to including |security/pam_modules.h|.' isn't being done. Was this done on purpose? Could this possibly be factor in my problem. I would test it out, however I am unable to build the library on my machine. A fresh downloaded make gives me Nov 21 15:20:52 wisdur sshd[21221]: PAM unable to dlopen(/lib/security/pam_radius_auth.so): /lib/security/pam_radius_auth.so: undefined symbol: __stack_chk_fail_local Nov 21 15:20:52 wisdur sshd[21221]: PAM adding faulty module: /lib/security/pam_radius_auth.so Thanks in advance -David Ly (Just a side note, Does anyone knows why I get these errors when trying to build.) ggc -v --- gcc version 4.1.1 pam_radius_auth.c: In function ‘talk_radius’: pam_radius_auth.c:887: warning: pointer targets in passing argument 6 of ‘recvfrom’ differ in signedness pam_radius_auth.c: In function ‘pam_sm_authenticate’: pam_radius_auth.c:1103: warning: assignment from incompatible pointer type - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth
Megan wrote: Good Day, I am making an attempt to setup sudo authentication on a Centos 5.2 server to work with pam_radius_auth. I rwant ldap to handle my regular users (this works already) and I want my privileged users to authenticate through radius when they use sudo. I put the below in /etc/pam.d/sudo and it seems to work fine, except that I need an entry in /etc/shadow for any user who sudos.If i remove the user from /etc/shadow then I get a loop back to the radius authentication. If I remove the pam_unix.so entry for auth then I also get a loop back asking for a password when the radius server Accepted it. Any ideas? /etc/pam.d/sudo authrequired pam_env.so authrequired /lib/security/pam_radius_auth.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 Hi Megan, I have a similar set up, except that instead of using pam_ldap, I'm using pam_unix to authentication users by making use of libnss-ldapd. My /etc/nsswitch.conf file looks like: passwd: compat ldap group: compat ldap shadow: compat ldap ... And my LDAP entries contain objectClass: shadowAccount, and all the attributes that class requires. - Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth
Good Day, I am making an attempt to setup sudo authentication on a Centos 5.2 server to work with pam_radius_auth. I rwant ldap to handle my regular users (this works already) and I want my privileged users to authenticate through radius when they use sudo. I put the below in /etc/pam.d/sudo and it seems to work fine, except that I need an entry in /etc/shadow for any user who sudos.If i remove the user from /etc/shadow then I get a loop back to the radius authentication. If I remove the pam_unix.so entry for auth then I also get a loop back asking for a password when the radius server Accepted it. Any ideas? /etc/pam.d/sudo authrequired pam_env.so authrequired /lib/security/pam_radius_auth.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 Thanks, Megan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Assistance with Compiling pam_radius_auth Please.
Greetings list, This host is running CentOS 4.3. uname -r output 2.6.9-67.0.4.plus.c4smp. I have tried looking for an already compiled module for PAM on centos without success, my google-foo is weak apparently. I downloaded the tar file straight from freeradius.org. When I unpacked and tried using make (as root) in the folder I get the following output. I am not much of a programmer so this error looks very confusing to me. Any help would be greatly appreciated. [EMAIL PROTECTED] pam_radius-1.3.17]# make cc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o pam_radius_auth.c:63:34: security/pam_modules.h: No such file or directory pam_radius_auth.c:156: error: syntax error before '*' token pam_radius_auth.c: In function `_int_free': pam_radius_auth.c:158: error: `x' undeclared (first use in this function) pam_radius_auth.c:158: error: (Each undeclared identifier is reported only once pam_radius_auth.c:158: error: for each function it appears in.) pam_radius_auth.c: In function `host2server': pam_radius_auth.c:270: error: `PAM_AUTHINFO_UNAVAIL' undeclared (first use in this function) pam_radius_auth.c:312: error: `PAM_SUCCESS' undeclared (first use in this function) pam_radius_auth.c: In function `initialize': pam_radius_auth.c:600: error: `PAM_ABORT' undeclared (first use in this function) pam_radius_auth.c:659: error: `PAM_AUTHINFO_UNAVAIL' undeclared (first use in this function) pam_radius_auth.c:691: error: `PAM_SUCCESS' undeclared (first use in this function) pam_radius_auth.c: In function `talk_radius': pam_radius_auth.c:798: error: `PAM_SUCCESS' undeclared (first use in this function) pam_radius_auth.c:995: error: `PAM_IGNORE' undeclared (first use in this function) pam_radius_auth.c:997: error: `PAM_AUTHINFO_UNAVAIL' undeclared (first use in this function) pam_radius_auth.c: At top level: pam_radius_auth.c:1014: error: syntax error before '*' token pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1017: error: storage size of 'resp_msg' isn't known pam_radius_auth.c:1022: error: `msg_style' undeclared (first use in this function) pam_radius_auth.c:1023: error: `message' undeclared (first use in this function) pam_radius_auth.c:1027: warning: implicit declaration of function `pam_get_item' pam_radius_auth.c:1027: error: `pamh' undeclared (first use in this function) pam_radius_auth.c:1027: error: `PAM_CONV' undeclared (first use in this function) pam_radius_auth.c:1028: error: `PAM_SUCCESS' undeclared (first use in this function) pam_radius_auth.c:1030: error: dereferencing pointer to incomplete type pam_radius_auth.c:1030: error: dereferencing pointer to incomplete type pam_radius_auth.c:1033: error: `password' undeclared (first use in this function) pam_radius_auth.c:1042: error: dereferencing pointer to incomplete type pam_radius_auth.c:1017: warning: unused variable `resp_msg' pam_radius_auth.c: At top level: pam_radius_auth.c:1061: error: syntax error before int pam_radius_auth.c:1062: error: syntax error before '*' token pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1070: error: `PAM_AUTH_ERR' undeclared (first use in this function) pam_radius_auth.c:1078: error: `argc' undeclared (first use in this function) pam_radius_auth.c:1078: error: `argv' undeclared (first use in this function) pam_radius_auth.c:1081: warning: implicit declaration of function `pam_get_user' pam_radius_auth.c:1081: error: `pamh' undeclared (first use in this function) pam_radius_auth.c:1082: error: `PAM_SUCCESS' undeclared (first use in this function) pam_radius_auth.c:1082: warning: implicit declaration of function `pam_set_data' pam_radius_auth.c:1088: error: `PAM_USER_UNKNOWN' undeclared (first use in this function) pam_radius_auth.c:1097: error: `PAM_RUSER' undeclared (first use in this function) pam_radius_auth.c:1102: warning: assignment from incompatible pointer type pam_radius_auth.c:1121: error: `PAM_SERVICE' undeclared (first use in this function) pam_radius_auth.c:1135: error: `PAM_AUTHTOK' undeclared (first use in this function) pam_radius_auth.c:1152: error: `PAM_PROMPT_ECHO_OFF' undeclared (first use in this function) pam_radius_auth.c:1168: error: `PAM_RHOST' undeclared (first use in this function) pam_radius_auth.c:1199: error: `PAM_AUTHINFO_UNAVAIL' undeclared (first use in this function) pam_radius_auth.c:1216: error: `PAM_PROMPT_ECHO_ON' undeclared (first use in this function) pam_radius_auth.c:1241: warning: implicit declaration of function `pam_set_item' pam_radius_auth.c: At top level: pam_radius_auth.c:1268: error: syntax error before int pam_radius_auth.c:1269: error: syntax error before '*' token pam_radius_auth.c: In function `pam_sm_setcred': pam_radius_auth.c:1273: error: `PAM_SUCCESS' undeclared (first use in this function) pam_radius_auth.c:1275: warning: implicit declaration of function `pam_get_data' pam_radius_auth.c:1275: error: `pamh'
Re: Assistance with Compiling pam_radius_auth Please.
chase pettet wrote: This host is running CentOS 4.3. uname -r output 2.6.9-67.0.4.plus.c4smp. I have tried looking for an already compiled module for PAM on centos without success, my google-foo is weak apparently. I downloaded the tar file straight from freeradius.org http://freeradius.org. When I unpacked and tried using make (as root) in the folder I get the following output. I am not much of a programmer so this error looks very confusing to me. Any help would be greatly appreciated. ... pam_radius_auth.c:63:34: security/pam_modules.h: No such file or directory You need the pam development package installed. See your distribution documentation for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id in pam_radius_auth
Hi, Is there a way to tell pam_radius_auth to send a value in Calling-Station-Id? Source code edits. I might do that, but... Is there a way at all to send variables to PAM at all, to be used for setting Calling-Station-Id within pam_radius_auth? Source code edits. ... that would be *PAM* source code edits? Yuck. It's not that important. Thanks anyway, Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id in pam_radius_auth
Stefan Winter wrote: Source code edits. ... that would be *PAM* source code edits? Yuck. It's not that important. No.. The pam_radius_auth code could be updated. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Calling-Station-Id in pam_radius_auth
Hi, a somewhat sophisticated problem: in a mail server, we'd like to record the IP address of the client that triggered the IMAP authentication request. The IMAP server uses PAM, specifically pam_radius_auth. Is there a way to tell pam_radius_auth to send a value in Calling-Station-Id? Is there a way at all to send variables to PAM at all, to be used for setting Calling-Station-Id within pam_radius_auth? We could also live with getting the value into PAM and then setting it into client_id= if Calling-Station-Id is not possible; string mangling on the server side would do nicely. Something like [EMAIL PROTECTED] as an option to pam_radius_auth? Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Calling-Station-Id in pam_radius_auth
Stefan Winter wrote: Is there a way to tell pam_radius_auth to send a value in Calling-Station-Id? Source code edits. Is there a way at all to send variables to PAM at all, to be used for setting Calling-Station-Id within pam_radius_auth? Source code edits. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: OpenSSH, PAM and pam_radius_auth
Hi Alan, So fix DNS so that it has a name to IP mapping for that host. Or, add that name to IP mapping into /etc/hosts. The module can't do anything if you tell it to use radius1 as a RADIUS server, and the don't tell it where radius1 is on the network. We have entry in the /etc/hosts file for radius1 server, but the pam_auth module is having issues in reading it. You have seen the error, even if we give the IP address, it tries to resolve it to IP again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OpenSSH, PAM and pam_radius_auth
I'm trying to get RADIUS authentication to work on one of our systems, but keep running into problems. For some reason it seems that the account system does not allow the user to login, and once the user has been authenticated, it drops the connection by not allowing sshd to establish credentials for the user. It seems that OpenSSH first tries to authetnicate the user with an empty password (), because if I set an empty password both in the local /etc/passwd, and on the RADIUS server, sshd is able to establish credentials for the user. Note that even with a non-empty password the authentication works, the daemon gets and OK from the radius server. There's a user with that given name in /etc/passwd. Anyone ideas about what could be wrong here? Here's the debug output from OpenSSH: debug1: userauth-request for user orbit-admin service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for orbit-admin debug1: PAM: setting PAM_RHOST to 192.168.99.111 debug1: PAM: setting PAM_TTY to ssh debug1: userauth_send_banner: sent debug1: PAM: password authentication failed for orbit-admin: Authentication failure Failed none for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: userauth-request for user orbit-admin service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=orbit-admin devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called debug1: PAM: num PAM env strings 0 Postponed keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called Accepted keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/ttyp1 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM: setting PAM_TTY to /dev/ttyp1 debug1: PAM: establishing credentials PAM: pam_setcred(): Authentication service cannot retrieve user credentials debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp1 My system-auth file: authsufficientpam_radius_auth.so debug authsufficientpam_unix.so likeauth nullok debug authrequired pam_deny.so account required pam_unix.so passwordsufficientpam_unix.so nullok use_authtok md5 passwordrequired pam_deny.so session required pam_unix.so Versions: pam_radius-1.3.17 openssh-4.5p1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSH, PAM and pam_radius_auth
[EMAIL PROTECTED] skrev: You have posted a question to the freeradius list and included a debug from - OpenSSH??? Don't you think that freeradius debug would be more helpful? As I stated, authentication in respect to RADIUS works just fine, therefor here's not need for the debug output from pam_radius_auth. I post to the freeradius list because the pam_radius_auth PAM module is part of the FreeRADIUS project, and there's a great chance that people on that list have used pam_radius_auth in the past. If you have any other questions related to where and why I post things, please take it in a private mail. ~j - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSH, PAM and pam_radius_auth
You have posted a question to the freeradius list and included a debug from - OpenSSH??? Don't you think that freeradius debug would be more helpful? Ivan Kalik Kalik Informatika ISP Dana 8/1/2008, Johan Rydberg [EMAIL PROTECTED] piše: I'm trying to get RADIUS authentication to work on one of our systems, but keep running into problems. For some reason it seems that the account system does not allow the user to login, and once the user has been authenticated, it drops the connection by not allowing sshd to establish credentials for the user. It seems that OpenSSH first tries to authetnicate the user with an empty password (), because if I set an empty password both in the local /etc/passwd, and on the RADIUS server, sshd is able to establish credentials for the user. Note that even with a non-empty password the authentication works, the daemon gets and OK from the radius server. There's a user with that given name in /etc/passwd. Anyone ideas about what could be wrong here? Here's the debug output from OpenSSH: debug1: userauth-request for user orbit-admin service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for orbit-admin debug1: PAM: setting PAM_RHOST to 192.168.99.111 debug1: PAM: setting PAM_TTY to ssh debug1: userauth_send_banner: sent debug1: PAM: password authentication failed for orbit-admin: Authentication failure Failed none for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: userauth-request for user orbit-admin service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=orbit-admin devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called debug1: PAM: num PAM env strings 0 Postponed keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called Accepted keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/ttyp1 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM: setting PAM_TTY to /dev/ttyp1 debug1: PAM: establishing credentials PAM: pam_setcred(): Authentication service cannot retrieve user credentials debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp1 My system-auth file: authsufficientpam_radius_auth.so debug authsufficientpam_unix.so likeauth nullok debug authrequired pam_deny.so account required pam_unix.so passwordsufficientpam_unix.so nullok use_authtok md5 passwordrequired pam_deny.so session required pam_unix.so Versions: pam_radius-1.3.17 openssh-4.5p1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: OpenSSH, PAM and pam_radius_auth
Hi Johan, Its good to hear that you reached up a level where Radius is working fine. But we are unable to break the jinx, and I am getting the following error when trying to telnet to the box. The installation and configuration of pam radius module went fine. Could you please help in this regards. Error we are getting Jan 8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Fai led looking up IP address for RADIUS server radius1 (errcode=12) Jan 8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Fai led looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Jan 8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: All RADIUS servers failed to respond. I dont see any other debug messages apart from the above msg available in the /var/adm/messages Thank you Regards Sobanbabu Bakthavathsalu From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Johan Rydberg [EMAIL PROTECTED] Sent: 08 January 2008 12:43 To: freeradius-users@lists.freeradius.org; [EMAIL PROTECTED] Subject: OpenSSH, PAM and pam_radius_auth I'm trying to get RADIUS authentication to work on one of our systems, but keep running into problems. For some reason it seems that the account system does not allow the user to login, and once the user has been authenticated, it drops the connection by not allowing sshd to establish credentials for the user. It seems that OpenSSH first tries to authetnicate the user with an empty password (), because if I set an empty password both in the local /etc/passwd, and on the RADIUS server, sshd is able to establish credentials for the user. Note that even with a non-empty password the authentication works, the daemon gets and OK from the radius server. There's a user with that given name in /etc/passwd. Anyone ideas about what could be wrong here? Here's the debug output from OpenSSH: debug1: userauth-request for user orbit-admin service ssh-connection method none debug1: attempt 0 failures 0 debug1: PAM: initializing for orbit-admin debug1: PAM: setting PAM_RHOST to 192.168.99.111 debug1: PAM: setting PAM_TTY to ssh debug1: userauth_send_banner: sent debug1: PAM: password authentication failed for orbit-admin: Authentication failure Failed none for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: userauth-request for user orbit-admin service ssh-connection method keyboard-interactive debug1: attempt 1 failures 1 debug1: keyboard-interactive devs debug1: auth2_challenge: user=orbit-admin devs= debug1: kbdint_alloc: devices 'pam' debug1: auth2_challenge_start: trying authentication method 'pam' Postponed keyboard-interactive for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called debug1: PAM: num PAM env strings 0 Postponed keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: do_pam_account: called Accepted keyboard-interactive/pam for orbit-admin from 192.168.99.111 port 39102 ssh2 debug1: Entering interactive session for SSH2. debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 0 win 65536 max 16384 debug1: input_session_request debug1: channel 0: new [server-session] debug1: session_new: init debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request pty-req reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req pty-req debug1: Allocating pty. debug1: session_pty_req: session 0 alloc /dev/ttyp1 debug1: server_input_channel_req: channel 0 request env reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req env debug1: server_input_channel_req: channel 0 request shell reply 0 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req shell debug1: PAM: setting PAM_TTY to /dev/ttyp1 debug1: PAM: establishing credentials PAM: pam_setcred(): Authentication service cannot retrieve user credentials debug1: do_cleanup debug1: PAM: cleanup debug1: session_pty_cleanup: session 0 release /dev/ttyp1 My system-auth file: authsufficientpam_radius_auth.so debug authsufficientpam_unix.so likeauth nullok debug authrequired pam_deny.so account required pam_unix.so passwordsufficientpam_unix.so nullok use_authtok md5 passwordrequired pam_deny.so session required pam_unix.so Versions: pam_radius-1.3.17 openssh-4.5p1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail
Re: OpenSSH, PAM and pam_radius_auth
Johan Rydberg wrote: It seems that OpenSSH first tries to authetnicate the user with an empty password (), because if I set an empty password both in the local /etc/passwd, and on the RADIUS server, sshd is able to establish credentials for the user. PAM does weird things. OpenSSH does weird things. See bugs.freeradius.org. There a number of issues relating to the PAM module, including patches that may help here. I recall something related to try_first_pass. I haven't spent much time looking at PAM recently. All I recall from using it a few years ago is that I spent a LOT of time fighting with it, and had great difficulty trying to make it do anything. The complete and total lack of debugging information helped, too. PAM: pam_setcred(): Authentication service cannot retrieve user credentials That likely means that the user doesn't have a UID/GID/etc in /etc/passwd. The PAM RADIUS module doesn't set UID or GID. I tried to see if it was possible, and was told: a) No, it wasn't possible b) Yes, it was possible, and it was documented c) Yes, it was possible, but only the PAM authors knew how to make it work Getting conflicting answers from the same set of people made me unsubscribe from the PAM list. :( Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OpenSSH, PAM and pam_radius_auth
Sobanbabu Bakthavathsalu wrote: Hi Johan, Its good to hear that you reached up a level where Radius is working fine. But we are unable to break the jinx, and I am getting the following error when trying to telnet to the box. The installation and configuration of pam radius module went fine. Could you please help in this regards. Error we are getting Jan 8 13:57:27 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Fai led looking up IP address for RADIUS server radius1 (errcode=12) So fix DNS so that it has a name to IP mapping for that host. Or, add that name to IP mapping into /etc/hosts. The module can't do anything if you tell it to use radius1 as a RADIUS server, and the don't tell it where radius1 is on the network. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth updated spec file, please include in future releases
Florin Andrei wrote: I attached an updated spec file for pam_radius_auth. The original one fails when building as non-root. I fixed that and made a few other minor changes. The install stage SHOULD set the permissions correctly. It would be nice if the build system could generate this spec file from a template, automatically replace the version number inside the spec with the actual version of the pam_radius_auth tarball, and include the automatically generated spec in the tarball. Or, just update the spec file when a new version is released. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH - Need help
Hi Alan, Any thought gone on this? Why is the plugin unable to resolve the IP address of the RADIUS server, or trying to resolve an IP to IP? Is that something related to compilation? Regards Soban From: Sobanbabu Bakthavathsalu Sent: 02 November 2007 11:59 To: FreeRadius users mailing list Subject: RE: PAM_RADIUS_AUTH Is this compatible with Solaris 10 First time I tried with IP address only, and got the following error. Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.69.133 (errcode=12) It was trying to resolve the IP address for an address again. Later I made a host entry and tried and the changed the config to name again. And getting the same error. Regards Soban From: Sobanbabu Bakthavathsalu Sent: 31 October 2007 10:46 To: FreeRadius users mailing list Subject: RE: PAM_RADIUS_AUTH Hi Alan, First time I tried with IP address only, and got the following error. Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.69.133 (errcode=12) It was trying to resolve the IP address for an address again. Later I made a host entry and tried and the changed the config to name again. And getting the same error. Regards Soban From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Alan DeKok [EMAIL PROTECTED] Sent: 30 October 2007 17:28 To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH Sobanbabu Bakthavathsalu wrote: Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. No. You *can* enter just an IP address... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM_RADIUS_AUTH - Need help
Sobanbabu Bakthavathsalu wrote: Hi Alan, Any thought gone on this? Why is the plugin unable to resolve the IP address of the RADIUS server, or trying to resolve an IP to IP? It's not. It's trying to resolve it's own IP address. Make sure DNS works, or edit the code to remove all references to gethostbyname(). Is that something related to compilation? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH
Is this compatible with Solaris 10 First time I tried with IP address only, and got the following error. Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.69.133 (errcode=12) It was trying to resolve the IP address for an address again. Later I made a host entry and tried and the changed the config to name again. And getting the same error. Regards Soban From: Sobanbabu Bakthavathsalu Sent: 31 October 2007 10:46 To: FreeRadius users mailing list Subject: RE: PAM_RADIUS_AUTH Hi Alan, First time I tried with IP address only, and got the following error. Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.69.133 (errcode=12) It was trying to resolve the IP address for an address again. Later I made a host entry and tried and the changed the config to name again. And getting the same error. Regards Soban From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Alan DeKok [EMAIL PROTECTED] Sent: 30 October 2007 17:28 To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH Sobanbabu Bakthavathsalu wrote: Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. No. You *can* enter just an IP address... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH
Hi Alan, First time I tried with IP address only, and got the following error. Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12) Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth: Failed looking up IP address for RADIUS server 10.213.69.133 (errcode=12) It was trying to resolve the IP address for an address again. Later I made a host entry and tried and the changed the config to name again. And getting the same error. Regards Soban From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Alan DeKok [EMAIL PROTECTED] Sent: 30 October 2007 17:28 To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH Sobanbabu Bakthavathsalu wrote: Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. No. You *can* enter just an IP address... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM_RADIUS_AUTH
Hi I am trying install the PAM_RADIUS_AUTH on a Solaris 10 server to use RADIUS for user authentication. I have managed to successfully compile and install the pam plugin. When I tried to telnet to the machine from a different server I am getting the following error. Failed looking up IP address for RADIUS server radius1 (errcode=12) I have made a host entry for this server name in /etc/hosts file and able to ping the RADIUS server with name. But still its not working. Could you please help on resolving this. Regards Soban CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM_RADIUS_AUTH
On 10/30/07, Sobanbabu Bakthavathsalu [EMAIL PROTECTED] wrote: Hi I am trying install the PAM_RADIUS_AUTH on a Solaris 10 server to use RADIUS for user authentication. I have managed to successfully compile and install the pam plugin. When I tried to telnet to the machine from a different server I am getting the following error. Failed looking up IP address for RADIUS server radius1 (errcode=12) I have made a host entry for this server name in /etc/hosts file and able to ping the RADIUS server with name. But still its not working. Could you please help on resolving this. Lots of times this is a firewall issue where the port opening is set for tcp and not UDP. check that. Check that both are using port 1812, if that is what you are using. Have you edited your telnet pam entry? I'm not familiar with solaris, but that is what I would check. More info would be helpful too. HTH, Nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PAM_RADIUS_AUTH
Hi Nick, Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. The server in question is not configured for any DNS server for name resolution, it uses the hosts file only. Hope this provides more information. Regards Soban From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Nick Owen [EMAIL PROTECTED] Sent: 30 October 2007 15:37 To: FreeRadius users mailing list Subject: Re: PAM_RADIUS_AUTH On 10/30/07, Sobanbabu Bakthavathsalu [EMAIL PROTECTED] wrote: Hi I am trying install the PAM_RADIUS_AUTH on a Solaris 10 server to use RADIUS for user authentication. I have managed to successfully compile and install the pam plugin. When I tried to telnet to the machine from a different server I am getting the following error. Failed looking up IP address for RADIUS server radius1 (errcode=12) I have made a host entry for this server name in /etc/hosts file and able to ping the RADIUS server with name. But still its not working. Could you please help on resolving this. Lots of times this is a firewall issue where the port opening is set for tcp and not UDP. check that. Check that both are using port 1812, if that is what you are using. Have you edited your telnet pam entry? I'm not familiar with solaris, but that is what I would check. More info would be helpful too. HTH, Nick -- -- Nick Owen WiKID Systems, Inc. 404.962.8983 http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html CAUTION - Disclaimer * This e-mail contains PRIVILEGED AND CONFIDENTIAL INFORMATION intended solely for the use of the addressee(s). If you are not the intended recipient, please notify the sender by e-mail and delete the original message. Further, you are not to copy, disclose, or distribute this e-mail or its contents to any other person and any such actions are unlawful. This e-mail may contain viruses. Infosys has taken every reasonable precaution to minimize this risk, but is not liable for any damage you may sustain as a result of any virus in this e-mail. You should carry out your own virus checks before opening the e-mail or attachment. Infosys reserves the right to monitor and review the content of all messages sent to or from this e-mail address. Messages sent to or from this e-mail address may be stored on the Infosys e-mail system. ***INFOSYS End of Disclaimer INFOSYS*** - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth updated spec file, please include in future releases
I attached an updated spec file for pam_radius_auth. The original one fails when building as non-root. I fixed that and made a few other minor changes. It would be nice if the build system could generate this spec file from a template, automatically replace the version number inside the spec with the actual version of the pam_radius_auth tarball, and include the automatically generated spec in the tarball. That way, users could generate RPM packages out of the tarball by simply downloading the archive and running: rpmbuild -ta pam_radius...(version number here)...tar.gz Thanks, -- Florin Andrei http://florin.myip.org/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth updated spec file, please include in future releases
Florin Andrei wrote: I attached an updated spec file for pam_radius_auth. No, I didn't. _Now_ I did. :-/ -- Florin Andrei http://florin.myip.org/ %define name pam_radius_auth %define shortname pam_radius %define version 1.3.17 %define release 0 Name: %{name} Summary: PAM Module for RADIUS Authentication Version: %{version} Release: %{release} Source: ftp://ftp.freeradius.org/pub/radius/%{shortname}-%{version}.tar.gz URL: http://www.freeradius.org/pam_radius_auth/ Group: System Environment/Libraries BuildRoot: %{_tmppath}/%{name}-buildroot License: BSD-like or GNU GPL Requires: pam %description This is the PAM to RADIUS authentication module. It allows any PAM-capable machine to become a RADIUS client for authentication and accounting requests. You will need a RADIUS server to perform the actual authentication. %prep %setup -q -n %{shortname}-%{version} %build make %install mkdir -p %{buildroot}/lib/security cp -p pam_radius_auth.so %{buildroot}/lib/security mkdir -p %{buildroot}/etc/raddb [ -f %{buildroot}/etc/raddb/server ] || cp -p pam_radius_auth.conf %{buildroot}/etc/raddb/server #chown root %{buildroot}/etc/raddb/server #chgrp root %{buildroot}/etc/raddb/server chmod 0600 %{buildroot}/etc/raddb/server %clean [ $RPM_BUILD_ROOT != / ] rm -rf $RPM_BUILD_ROOT %postun rmdir /etc/raddb || true %files %defattr(-,root,root,0755) %doc README INSTALL USAGE Changelog %config /etc/raddb/server /lib/security/pam_radius_auth.so %changelog * Tue Oct 30 2007 Florin Andrei [EMAIL PROTECTED] 1.3.17-0 - build fixes * Mon Jun 03 2002 Richie Laager [EMAIL PROTECTED] 1.3.15-0 - Inital RPM Version - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM_RADIUS_AUTH
Sobanbabu Bakthavathsalu wrote: Thank you for the response. There is no firewall in between the RADIUS server and Solaris server (RADIUS client), only an Cisco router with standard ACL. I have verified the ACL matches counter and found that the request from the clinet itself is not reachign the router. Is that host entries in /etc/hosts file wont work for this, do I need a DNS server for RADIUS server name authentication to work with pam_radius_auth. No. You *can* enter just an IP address... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Pam_radius_Auth - Problem
Markus, Did you get any replies to your post from the 18th about pam_radius_auth not working, as I am having exactly the same issue. What I have found out is that the pam_radius_auth module is fine, except when the user is not in the password file. At this point it would seem that something is not getting initialised correctly which results in the call to conv-conv, which should prompt you for the password and then return it in resp-resp, constantly comes back with ^H ^\177INCORRECT. As this translates to the value you saw in your password field, I have to suspect that something is broken within PAM and requires the modules to work around this if the user is not in the password file. The problem I am having is working out how to work around the problem, so I am interested as to if you got a reply to your post. Thanks Geoff - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Pam_radius_Auth - Problem
Hi all, I have a problem with pam_radius_auth-module, maybe someone can help me. The situation: I am running freeradius 1.1.6 and installed the pam_radius_auth-Module In the file /etc/pam.d/sshd I inserted the line Auth required pam_radius_auth.so like it is described in the docu of freeradius.org And in the file /etc/raddb/server I inserted the schared secret. If I connect to the ssh-server with an username which exists in the ssh-servers system-db, the login-process works fine, but if I want to login per ssh with a user, only the radius-server knows and not the system-db of the ssh-server, the login fails with this error: Jun 18 14:32:52 kiwi15 sshd[31606]: Invalid user testuser from 146.254.188.65 Jun 18 14:32:52 kiwi15 sshd[31607]: input_userauth_request: invalid user testuser Jun 18 14:32:57 kiwi15 sshd[31606]: pam_radius_auth: Got user name testuser Jun 18 14:32:57 kiwi15 sshd[31606]: pam_radius_auth: Sending RADIUS request code 1 == /var/log/secure == Jun 18 14:32:59 kiwi15 sshd[31606]: pam_radius_auth: Got RADIUS response code 3 Jun 18 14:32:59 kiwi15 sshd[31606]: pam_radius_auth: authentication failed Jun 18 14:32:59 kiwi15 sshd[31606]: Failed password for invalid user testuser from 146.254.188.65 port 3666 ssh2 Radius-Deamon says: rad_recv: Access-Request packet from host 127.0.0.1:32631, id=218, length=99 User-Name = testuser User-Password = \010\n\rINCORRECT -- this is very strong :-/ NAS-IP-Address = 127.0.0.1 NAS-Identifier = sshd NAS-Port = 31606 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Calling-Station-Id = testkiste Processing the authorize section of radiusd.conf modcall: entering group authorize for request 24 . . . modcall: leaving group authorize (returns ok) for request 24 rad_check_password: Found Auth-Type PAP auth: type PAP Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 24 rlm_pap: login attempt with password ? INCORRECT rlm_pap: Using clear text password testpwd. rlm_pap: Passwords don't match modcall[authenticate]: module pap returns reject for request 24 modcall: leaving group PAP (returns reject) for request 24 auth: Failed to validate the user. WARNING: Unprintable characters in the password. ? Double-check the shared secret on the server and the NAS! Delaying request 24 for 1 seconds Finished request 24 Going to the next request Shared secret is ok, I checked it twice... I think the sshd refuses users which are not in the passwd-file and sends this confusing password-Attribute to the pam_radius-module, but why Thanks for your help Markus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth
Dan Delaney wrote: Does anyone know how to change the service type that pam_radius_auth passes to the server? Source code modifications. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: pam_radius_auth
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, March 21, 2007 2:46 AM To: FreeRadius users mailing list Subject: Re: pam_radius_auth Dan Delaney wrote: Does anyone know how to change the service type that pam_radius_auth passes to the server? Source code modifications. Do you know what files and lines I need to change in the pam_radius source? I am fairly new to this pam.d and radius stuff Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth
Looking for some help on configuring pam_radius_auth with linux for pop3 and imap services. Anyone have any clues? I currently have my /etc/pam.d/pop3 and imap files showing: auth sufficient /lib/security/pam_radius_auth.so try_first_pass accountsufficient /lib/security/pam_radius_auth.so try_first_pass When I authtest -s pop3 user1 password1 it will pass (this is a management account) However if I authtest -s pop3 user2 password2, it fails authentication saying the passwords did not match (when I know they did) Whats even stranger is that when I pass user2 with no password, it passes authentication... I am not using freeradius that I know of (the radius server is on a OpenVMS machine) and this linux box is just a client. Any help would be appreciated Thank you Dan Delaney - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth
Does anyone know how to change the service type that pam_radius_auth passes to the server? Currently, it is sending an interactive login, but I need to change it to a network login. This is using pam.d on a FC6 system. Thank you Dan Delaney - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting with pam_radius_auth
Hello, I found in the archive that pam_radius questions can be asked here so here is mine: I am using pam_radius_auth to authenticate and do some accounting against a freeradius+ldaps server (which works perfectly). Everything (authorization, authentication and accounting) work perfectly except accounting in some cases. Configuration uses pam_radius_auth 1.3.16. Here is an example pam configfile (/etc/pam.d/su): -- cut -- auth sufficient /lib/security/$ISA/pam_rootok.so auth required/lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_radius_auth.so try_first_pass debug auth required/lib/security/$ISA/pam_deny.so account sufficient /lib/security/pam_radius_auth.so debug account sufficient /lib/security/$ISA/pam_unix.so account sufficient /lib/security/$ISA/pam_succeed_if.so uid100 quiet account required/lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authok md5 shadow password required/lib/security/$ISA/pam_deny.so #session required/lib/security/$ISA/pam_selinux.so close #session required/lib/security/$ISA/pam_limits.so session sufficient /lib/security/pam_radius_auth.so debug session sufficient /lib/security/$ISA/pam_unix.so #session sufficient /lib/security/$ISA/pam_selinux.so open multiple #session optional/lib/security/$ISA/pam_xauth.so -- cut -- In fact the main problem is if I su to an unprivileged user, no accounting packet is sent and output displays: su: pam_radius_auth: Could not open configuration file /etc/raddb/server: Permission denid If I su to root user, then accounting packet is correctly sent. I suppose that session part of pam runs as unprivilegied user and it can't open the /etc/raddb/server which is protected as advised in the documentation. I tried with and without commented lines in the session parts without success. Is this a common problem (I found nothing in the archive) or do I have a mistake in the pam configuration ? Regards, Christophe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting with pam_radius_auth
Christophe Boyanique wrote: In fact the main problem is if I su to an unprivileged user, no accounting packet is sent and output displays: su: pam_radius_auth: Could not open configuration file /etc/raddb/server: Permission denid Yes. That file has to be readable by the user. This is a limitation of PAM, I think, where the pam_radius_auth module is run as the user. I suppose that session part of pam runs as unprivilegied user and it can't open the /etc/raddb/server which is protected as advised in the documentation. Yes. Is this a common problem (I found nothing in the archive) or do I have a mistake in the pam configuration ? It's a problem. A solution (a bad one) is to chmod a+r the files. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting with pam_radius_auth
Alan DeKok a écrit : Yes. That file has to be readable by the user. This is a limitation of PAM, I think, where the pam_radius_auth module is run as the user. This is what I thought but I wanted to have a confirmation about that to be sure. It's a problem. A solution (a bad one) is to chmod a+r the files. Ok I will deal with that. Thanks for your confirmation. Christophe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with pam_radius_auth
Hi, I'm testing Freeradius in order to autenticate squid user trough PAM module. My architecture is: SQUID SERVER -- PAM_AUTH_RADIUS -- FREERADIUS -- SQL DB All work fine but frequently in /var/log/messages I see this message: Safesquid: pam_radius_auth: radius server 212.80.192.120 failed to response Safesquid: pam_radius_auth: All radius servers failed to response What can I check to solve this problem? Thank's, Maury76 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with pam_radius_auth
Maurizio Pederneschi wrote: Hi, I’m testing Freeradius in order to autenticate squid user trough PAM module. My architecture is: SQUID SERVER à PAM_AUTH_RADIUS à FREERADIUS à SQL DB All work fine but frequently in /var/log/messages I see this message: *Safesquid: pam_radius_auth: radius server 212.80.192.120 failed to response* * * *Safesquid: pam_radius_auth: All radius servers failed to response* * * What can I check to solve this problem? Thank’s, Maury76 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Hum... start by posting the radius log ( also try running radius -X -A and see if that gives you any clue ) and maybe what version of radius and which os you are using ;) and which version of squid server you using ;) kv. Johann B. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help w/ pam_radius_auth
Hello, I am new to the list and a newbie on RADIUS. My problem is not directly related to using freeradius, but rather accessing a RADIUS server via the pam_radius_auth module. Since this module seems to be supported/maintained under freeradius, I hope to get some help from the list members. I have a (cistron-based, running on an Ubuntu box) RADIUS server configured w/ IP address 192.168.200.1. Under users file, there is a default entry to authenticate users against the system /etc/passwd file. Under clients file, there is an entry for IP address 192.168.200.10 w/ a shared secret somesecret. There is a user gakkor w/ password dummy in the /etc/passwd file in the box that the server resides. I am running the server in debug mode /usr/sbin/radiusd -sfxxyz -l stdout I have a client machine, running a Linux based system. If I use the test client radtest w/ # radtest gakkor dummy 192.168.200.1 101 somesecret everything works fine. I get the following debug output from the server: radrecv: Packet from host 192.168.200.10 code=1, id=219, length=58 User-Name = gakkor User-Password = \326)\312g\tEL\351\033\031\271\234vmE\206 NAS-IP-Address = 192.168.200.10 NAS-Port = 101 users: Matched DEFAULT at line 136 auth: System Sending Ack of id 219 to 192.168.200.10 Login OK: [gakkor/dummy] (from nas nas1/S101) Now, instead of the radtest, I want to use an application called authmanager which makes a call to the pam_sm_authenticate method of the pam_radius_auth module, with the same username/password. The server file under /etc/raddb (on client side) has an entry 192.168.200.1 somesecret. So, the shared secrest are the same both for the client and server. The /etc/pam.conf file has an entry authmanager authrequired /usr/lib/pam_radius_auth.so skip_passwd However, I see that the password sent to the server becomes garbled and authentication fails. Here is the output from the server in this scenario radrecv: Packet from host 192.168.200.10 code=1, id=94, length=79 User-Name = gakkor User-Password = b\364f\330\214\250\271\274\G\2258\371\217\\\330 NAS-IP-Address = 192.168.200.10 NAS-Identifier = authmanager NAS-Port = 229 NAS-Port-Type = Virtual Service-Type = Authenticate-Only users: Matched DEFAULT at line 136 auth: System Sending Reject of id 94 to 192.168.200.10 Login incorrect: [gakkor/];:/[EMAIL PROTECTED] (from nas nas1/S229) Notice, that the debug output has unprintable characters for password... The syslog message on the client side says: pam_radius_auth: packet from RADIUS server 192.168.200.1 fails verification: The shared secret is probably incorrect. This seems like a problem with the MD5 hashing or byte-order. The client and server both are little-endian. And as far as I can tell from the PAM module code that the default case id also litle-endian as far as the byte-order is concerned. Any suggestions as to where I might be going wrong? Thanks in advance, Gun Akkor Staff Scientist, Patton Electronics, Co. Gaithersburg, MD gakkor AT patton DOT com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Autoreply: help w/ pam_radius_auth
Attualmente non sono in sede. Per richieste urgenti contattare lo 800 919299 o inviare una mail a [EMAIL PROTECTED] oppure a [EMAIL PROTECTED] Cordiali Saluti Giuseppe Parlato Area Network mailto:[EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth issue
Mircea Harapu wrote: I'm trying to make a ssh authentication with pam_radius_auth + freeradius + ldap The problem is that radius is sending the password to ldap in clear and not crypted with CRYPT as configured in ldap module . Huh? pam_radius_auth sends the password to FreeRADIUS in the clear, because that's what it does. FreeRADIUS sends this to LDAP because LDAP doesn't understand anything else. sending passwords in clear in a network is not secure . pam_radius_auth does have md5 crypting capabilities . that's why you need to set radius key . PAP sends the following radius request: User-Name = Someuser User-Password = somepassword HOWEVER, the User-Password field in a radius packet is defined by RFC to be encrypted with the radius shared secret. The pam_radius_auth is sending User-Password without beeing encrypted . I have set the same shared secret in /etc/raddb/server and clients.conf At the radius server, the password field is decrypted and processed in plaintext inside the radius server. This is at least as secure as sending a plaintext password over the wire. And there is NO configuration in the LDAP module to send the password in crypted form. I think you're mistaking the configuration that *reads* the password from LDAP for something else. auto_header = yes that means that it checks for encryption types . I think Alan, as the main FreeRadius developer, is probably aware of that feature. He is aware that it does NOT do what you claim. auto_header is responsible for detecting the {type} header when the userPassword attribute is *read from* the LDAP server. The {type} field is stripped, and used to put the following value into the correct radius config attribute e.g. * {clear} - User-Password * {crypt} - Crypt-Password * {ssha} - SSHA-Password ...and so on. *Then* the radius server processes a PAP request like so: 1. request comes in User-Name = foo User-Password = encrypted_with_radius_secret(bar) 2. authorize section is run 2a. ldap module is run - userPassword: {crypt}baAP5K9PT1lcc 2b. auto_header puts Crypt-Password = baAP5K9PT1lcc into config items 3. authenticate is run - Auth-Type = Local 3b. The radius server sees that Crypt-Password is set and does: if (crypt(User-Password, 'ba')=='baAP5K9PT1lcc') auth_ok; I hope that is clear. Your original mail stated: I'm trying to make a ssh authentication with pam_radius_auth + freeradius + ldap The problem is that radius is sending the password to ldap in clear and not crypted with CRYPT as configured in ldap module . As Alan tried to explain to you, pam_auth_radius is doing nothing wrong. What is undoubtedly happening is that you have the radius server configured incorrectly. I suspect you want it to do this: 1. request comes in 2. fetch password from ldap 3. compare crypted password from LDAP with password supplied I suspect what it's actually doing is: 1. request comes in 2. ldap searched for user - found 3. password is checked by doing LDAP simple bind If you want the first, configure the radius server to do that. Hint: see the set_auth_type = no option on recent versions of the server, or have the users file read: DEFAULT Auth-Type := Local Or, be more clear about what the problem is. It doesn't work how I think it should does not help, especially when you are wrong in your assumptions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth issue
Mircea Harapu wrote: PAP sends the following radius request: User-Name = Someuser User-Password = somepassword HOWEVER, the User-Password field in a radius packet is defined by RFC to be encrypted with the radius shared secret. The pam_radius_auth is sending User-Password without beeing encrypted . I have set the same shared secret in /etc/raddb/server and clients.conf I believe you are incorrect. Have you looked at the actual packets on the wire with a sniffer? Remember, when FreeRadius displays the packet, it has already decrypted it so of course you will see it in the clear in the FR debug output and logs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth issue
Mircea Harapu [EMAIL PROTECTED] wrote: The pam_radius_auth is sending User-Password without beeing encrypted . If you know more about RADIUS than the people on this list, I'm curious why you're asking questions about it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth issue
I'm trying to make a ssh authentication with pam_radius_auth + freeradius + ldap The problem is that radius is sending the password to ldap in clear and not crypted with CRYPT as configured in ldap module . Huh? pam_radius_auth sends the password to FreeRADIUS in the clear, because that's what it does. FreeRADIUS sends this to LDAP because LDAP doesn't understand anything else. sending passwords in clear in a network is not secure . pam_radius_auth does have md5 crypting capabilities . that's why you need to set radius key . And there is NO configuration in the LDAP module to send the password in crypted form. I think you're mistaking the configuration that *reads* the password from LDAP for something else. auto_header = yes that means that it checks for encryption types . right now my passwords in LDAP are stored crypted . for cisco equipments works perfect . And in any case, you haven't said why it's a problem. LDAP gets a clear-text password. So? That's how everyone else uses LDAP. Why is this wrong for you? What problems does it cause? Using passwords in clear is a lack of security and I don't belive that everyone is doing that! Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth issue
Mircea Harapu wrote: I'm trying to make a ssh authentication with pam_radius_auth + freeradius + ldap The problem is that radius is sending the password to ldap in clear and not crypted with CRYPT as configured in ldap module . Huh? pam_radius_auth sends the password to FreeRADIUS in the clear, because that's what it does. FreeRADIUS sends this to LDAP because LDAP doesn't understand anything else. sending passwords in clear in a network is not secure . pam_radius_auth does have md5 crypting capabilities . that's why you need to set radius key . PAP sends the following radius request: User-Name = Someuser User-Password = somepassword HOWEVER, the User-Password field in a radius packet is defined by RFC to be encrypted with the radius shared secret. At the radius server, the password field is decrypted and processed in plaintext inside the radius server. This is at least as secure as sending a plaintext password over the wire. And there is NO configuration in the LDAP module to send the password in crypted form. I think you're mistaking the configuration that *reads* the password from LDAP for something else. auto_header = yes that means that it checks for encryption types . I think Alan, as the main FreeRadius developer, is probably aware of that feature. He is aware that it does NOT do what you claim. auto_header is responsible for detecting the {type} header when the userPassword attribute is *read from* the LDAP server. The {type} field is stripped, and used to put the following value into the correct radius config attribute e.g. * {clear} - User-Password * {crypt} - Crypt-Password * {ssha} - SSHA-Password ...and so on. *Then* the radius server processes a PAP request like so: 1. request comes in User-Name = foo User-Password = encrypted_with_radius_secret(bar) 2. authorize section is run 2a. ldap module is run - userPassword: {crypt}baAP5K9PT1lcc 2b. auto_header puts Crypt-Password = baAP5K9PT1lcc into config items 3. authenticate is run - Auth-Type = Local 3b. The radius server sees that Crypt-Password is set and does: if (crypt(User-Password, 'ba')=='baAP5K9PT1lcc') auth_ok; I hope that is clear. Your original mail stated: I'm trying to make a ssh authentication with pam_radius_auth + freeradius + ldap The problem is that radius is sending the password to ldap in clear and not crypted with CRYPT as configured in ldap module . As Alan tried to explain to you, pam_auth_radius is doing nothing wrong. What is undoubtedly happening is that you have the radius server configured incorrectly. I suspect you want it to do this: 1. request comes in 2. fetch password from ldap 3. compare crypted password from LDAP with password supplied I suspect what it's actually doing is: 1. request comes in 2. ldap searched for user - found 3. password is checked by doing LDAP simple bind If you want the first, configure the radius server to do that. Hint: see the set_auth_type = no option on recent versions of the server, or have the users file read: DEFAULT Auth-Type := Local Or, be more clear about what the problem is. It doesn't work how I think it should does not help, especially when you are wrong in your assumptions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth issue
Phil Mayers [EMAIL PROTECTED] wrote: I think Alan, as the main FreeRadius developer, is probably aware of that feature. He is aware that it does NOT do what you claim. I'm always amazed at the people who patiently explain to me why I'm wrong, and why their confused ideas about the server I wrote are correct. I would dearly love to know what's going on in there... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth issue
Hello , I'm trying to make a ssh authentication with pam_radius_auth + freeradius + ldap The problem is that radius is sending the password to ldap in clear and not crypted with CRYPT as configured in ldap module . Using : pam_radius-1.3.16-68 FreeRADIUS Version 1.0.4 --- Mircea Harapu Abuse Engineer Bucharest NOC RCS RDS SA [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth issue
Mircea Harapu [EMAIL PROTECTED] wrote: I'm trying to make a ssh authentication with pam_radius_auth + freeradius + ldap The problem is that radius is sending the password to ldap in clear and not crypted with CRYPT as configured in ldap module . Huh? pam_radius_auth sends the password to FreeRADIUS in the clear, because that's what it does. FreeRADIUS sends this to LDAP because LDAP doesn't understand anything else. And there is NO configuration in the LDAP module to send the password in crypted form. I think you're mistaking the configuration that *reads* the password from LDAP for something else. And in any case, you haven't said why it's a problem. LDAP gets a clear-text password. So? That's how everyone else uses LDAP. Why is this wrong for you? What problems does it cause? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth token user
This question appears in various forums time and time again though I've yet to discover a solution for it under linux. It *must* be a common issue The need exists to map users who are successfully authenticated via pam_radius_auth and who do not have a local account to a default 'token user'. FreeBSD's radius/pam module has a simple and obvious 'template_user' directive that suits this precise purpose well. Linux pam_radius_auth lacks this feature. Deploying centralized authentication only to require that all other user info be manually configured on each and every device anyway doesn't make any sense. Nor should it involve a full-blown and often unwieldy NIS (or similar) infrastructure to function. Surely I'm overlooking something. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth
The pam_radius_auth README says It allows ... password change requests. But the USAGE file says Password changing is not implemented. That sounds contradictory. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a realm to username with pam_radius_auth
Alan DeKok wrote: Walter Goulet [EMAIL PROTECTED] wrote: Quick question regarding pam_radius_auth. Since you have to have a local account on the client machine using pam_radius_auth to authenticate ssh sessions, how would you go about adding a realm to the username portion of the authentication request? Edit the source code to the PAM module, and re-compile. Can I specify this with the client-id option in the pam_radius_auth configuration file? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I took a stab at adding support for specifying a realm as an additional option to the pam module configuration. You can specify the realm that will be appended to all outgoing RADIUS access requests in the application specific pam config files in /etc/pam.d. auth sufficient pam_radius_auth.so debug realm=test.com I tested this configuration by using openbsd's port of the radius-cistron 1.6.7 server as my RADIUS proxy server and freeradius 1.0.5 as the radius authenticator that owns the realm. Seems to work ok; I took a peek at the RADIUS dialog via Ethereal and the access request is routed correctly to the freeradius server. I haven't really programmed in C in a while, so please forgive any silly errors I may have made in the code. Also note that I used svn locally to keep track of my work, so my revision 1 corresponds to 1.3.16 downloaded from the freeradius site. Patch text follows. Thanks, Walter Index: pam_radius_auth.c === --- pam_radius_auth.c (revision 1) +++ pam_radius_auth.c (revision 6) @@ -25,6 +25,7 @@ * no options. Patch from Jon Nelson [EMAIL PROTECTED] * 1.3.14 - Don't use PATH_MAX, so it builds on GNU Hurd. * 1.3.15 - Implement retry option, miscellanous bug fixes. + * * * This program is free software; you can redistribute it and/or modify @@ -83,12 +84,12 @@ va_start(args, format); vsprintf(buffer, format, args); -/* don't do openlog or closelog, but put our name in to be friendly */ +// don't do openlog or closelog, but put our name in to be friendly syslog(err, %s: %s, pam_module_name, buffer); va_end(args); +printf(Debug Err: %s: %s,pam_module_name,buffer); } -/* argument parsing */ static int _pam_parse(int argc, CONST char **argv, radius_conf_t *conf) { int ctrl=0; @@ -131,6 +132,8 @@ } else { conf-client_id = (char *) *argv+10; /* point to the client-id */ } +} else if (!strncmp(*argv, realm=, 6)) { + conf-client_realm = (char *) *argv+6; /* point to the client-realm */ } else if (!strcmp(*argv, accounting_bug)) { conf-accounting_bug = TRUE; @@ -1050,6 +1053,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST char **argv) { + char *user_and_realm; CONST char *user; char *password = NULL; CONST char *rhost; @@ -1063,10 +1067,13 @@ AUTH_HDR *response = (AUTH_HDR *) recv_buffer; radius_conf_t config; int tries; + int realm_specified = 0; ctrl = _pam_parse(argc, argv, config); tries = ((ctrl PAM_RETRY) 4) + 1; + realm_specified = strlen(config.client_realm); + /* grab the user name */ retval = pam_get_user(pamh, user, NULL); PAM_FAIL_CHECK; @@ -1084,6 +1091,16 @@ DPRINT(LOG_DEBUG, Got user name %s, user); + if(realm_specified) + { + user_and_realm = malloc(strlen(user) + MAXPWNAM); /* making maxlen of realm value MAXPWNAM seems + reasonable. */ + memset(user_and_realm, 0, strlen(user_and_realm)); + strncat(user_and_realm,user,strlen(user)); + strncat(user_and_realm,@,1); + strncat(user_and_realm,config.client_realm,strlen(config.client_realm)); + } + /* * Get the IP address of the authentication server * Then, open a socket, and bind it to a port @@ -1133,7 +1150,14 @@ } } /* end of password == NULL */ - build_radius_packet(request, user, password, config); + if(realm_specified) + { + build_radius_packet(request, user_and_realm, password, config); + } + else + { + build_radius_packet(request, user_and_realm, password, config); + } /* not all servers understand this service type, but some do */ add_int_attribute(request, PW_USER_SERVICE_TYPE, PW_AUTHENTICATE_ONLY); @@ -1183,7 +1207,14 @@ retval = rad_converse(pamh, PAM_PROMPT_ECHO_ON, challenge, resp2challenge); /* now that we've got a response, build a new radius packet */ -build_radius_packet(request, user, resp2challenge, config); +if(realm_specified) +{ +build_radius_packet(request, user_and_realm, resp2challenge, config); +} +else +{ +build_radius_packet(request, user, resp2challenge, config); +} /* request-code is already PW_AUTHENTICATION_REQUEST */ request-id++; /* one up from
Adding a realm to username with pam_radius_auth
Hi, Quick question regarding pam_radius_auth. Since you have to have a local account on the client machine using pam_radius_auth to authenticate ssh sessions, how would you go about adding a realm to the username portion of the authentication request? Reason I'm asking is because I'd like to use pam_radius_auth on a client machine that talks to a AAA proxy server. The proxy server needs to use the realm name to figure out which AAA server to route the request to. Can I specify this with the client-id option in the pam_radius_auth configuration file? Thanks, Walter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a realm to username with pam_radius_auth
Walter Goulet [EMAIL PROTECTED] wrote: Quick question regarding pam_radius_auth. Since you have to have a local account on the client machine using pam_radius_auth to authenticate ssh sessions, how would you go about adding a realm to the username portion of the authentication request? Edit the source code to the PAM module, and re-compile. Can I specify this with the client-id option in the pam_radius_auth configuration file? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sun SSH and pam_radius_auth
Has anyone seen an issue with Sun SSH and pam_radius_auth where it sends a RADIUS Access-Request packet appearntly during ssh-connection method none? Nov 10 23:30:06 aaa01 sshd[8702]: [ID 800047 auth.debug] debug1: userauth-request for user red service ssh-connection method none Nov 10 23:30:06 aaa01 sshd[8702]: [ID 800047 auth.debug] debug1: attempt 0 failures 0 Nov 10 23:30:06 aaa01 sshd[8702]: [ID 800047 auth.debug] debug1: Starting up PAM with username red Nov 10 23:30:06 aaa01 sshd[8702]: [ID 730685 auth.debug] PAM[8702]: pam_start(sshd,red,b6930:cfdc8) - debug = 1 Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:service) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:user) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:conv) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:tty) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 800047 auth.debug] debug1: userauth_banner: sent Nov 10 23:30:06 aaa01 sshd[8702]: [ID 434390 auth.debug] PAM[8702]: pam_set_item(cfdc8:conv) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 635154 auth.debug] PAM[8702]: pam_authenticate(cfdc8, 1) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 232006 auth.debug] PAM[8702]: load_modules(cfdc8, pam_sm_authenticate)=/usr/lib/security/pam_radius_auth.so.1 Nov 10 23:30:06 aaa01 sshd[8702]: [ID 971319 auth.debug] PAM[8702]: load_function: successful load of pam_sm_authenticate Nov 10 23:30:06 aaa01 sshd[8702]: [ID 232006 auth.debug] PAM[8702]: load_modules(cfdc8, pam_sm_authenticate)=/usr/lib/security/pam_unix.so.1 Nov 10 23:30:06 aaa01 sshd[8702]: [ID 971319 auth.debug] PAM[8702]: load_function: successful load of pam_sm_authenticate Nov 10 23:30:06 aaa01 sshd[8702]: [ID 338151 auth.debug] PAM[8702]: pam_get_user(cfdc8, cfdc8, NULL) Nov 10 23:30:06 aaa01 sshd[8702]: [ID 801593 auth.debug] pam_radius_auth: Got user name red Nov 10 23:30:06 aaa01 sshd[8702]: [ID 801593 auth.debug] pam_radius_auth: Sending RADIUS request code 1 Nov 10 23:30:11 aaa01 sshd[8702]: [ID 801593 auth.error] pam_radius_auth: RADIUS server 172.24.43.230 failed to respond Nov 10 23:30:11 aaa01 sshd[8702]: [ID 801593 auth.error] pam_radius_auth: All RADIUS servers failed to respond. Nov 10 23:30:11 aaa01 sshd[8702]: [ID 801593 auth.debug] pam_radius_auth: authentication failed - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth threading issues
On 10/3/05, Alan DeKok [EMAIL PROTECTED] wrote: Rich Graves [EMAIL PROTECTED] wrote: This setup regularly fails under any sort of concurrency. Threading issues seem one likely reason. pam_radius_auth.c hasn't been touched in a while an d hasn't had the same attention to thread safety asThe PAM modules really aren't intended to be called more than once.The simplest solution is to put a mutex in the module. I know (just barely) enough to agree with that, but want more hints as to the granularity -- do I need to lock all of pam_sm_authenticate, or just talk_radius? Ideally, it would be nice to have a mutex per server and start the all available servers loop with pthread_mutex_trylock(), and keep track of which servers I haven't visited due to contention, but that gets hairy. [time passes] Ick. Well, with only a single conf-sockfd, there really is no choice but to put one big lock around the whole thing. If there was a different udp socket for each server in /etc/raddb/server, then I could have at least some parallellism, but that would require a lot of restructuring. Once I've done that work I might as well figure out how to make conf-sockfd private to each pthread. I was surprised not to find this issue in the archives, though I admit it is a little twisted to have a multithreaded LDAP server authenticate to Radius and not the other way around. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: pam_radius_auth threading issues
Rich Graves [EMAIL PROTECTED] wrote: I know (just barely) enough to agree with that, but want more hints as to the granularity -- do I need to lock all of pam_sm_authenticate, or just talk_radius? I would lock each PAM function. Ick. Well, with only a single conf-sockfd, there really is no choice but to put one big lock around the whole thing. If there was a different udp socket for each server in /etc/raddb/server, then I could have at least some parallellism, but that would require a lot of restructuring. Once I've done that work I might as well figure out how to make conf-sockfd private to each pthread. If we can get the radius library code from FreeRADIUS into shape, we can fix those issues in the pam module by using library code. Alan DeKOk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
pam_radius_auth threading issues
I've inherited a setup with authentication information on a local freeradius 1.0.5 server and OpenLDAP (with pthreads) configured to authenticate to SASL (v1 interface), which in turn uses PAM, which in turn is configured to check passwords with pam_radius_auth 1.3.16. All of this is on Linux RHEL3. This setup regularly fails under any sort of concurrency. Threading issues seem one likely reason. pam_radius_auth.c hasn't been touched in a while and hasn't had the same attention to thread safety as the core freeradius code. Has anyone else been down the road of cleaning up the calls to gethostbyname, variable scoping, etc? I know enough to recognize the problem, but don't really trust myself to fix it. Obvious workarounds for me include switching from SASL1/PAM to SASL2 and saslauthd; de-threading OpenLDAP (ick); or migrating the authoritative password store out of Radius entirely. But all of these have performance or operational issues here. I'd really like to get pam_radius_auth working as my predecessors (wrongly) thought it would. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html