(RADIATOR) CHAP with AuthbyPAM Question
Forbes Mike
Mike.Forbes at Colorado.EDU
Tue Oct 29 20:21:26 CST 2002
We are using auth by pam to access krb5. So it needs to associate a
unencrypted password to the username to query the krb server for a ticket.
Should that work, and if not, what are my options?
Mike
On Wed, 30 Oct 2002, Hugh Irvine wrote:
>
> Hello Mike -
>
> It depends on what format the stored passwords are that PAM is refering
> to.
>
> If the passwords are encrypted, you cannot use CHAP.
>
> regards
>
> Hugh
>
>
> On Wednesday, October 30, 2002, at 07:45 AM, Forbes Mike wrote:
>
> >
> > I am testing chap authentication with Radiator. Currently I do the
> > following:
> >
> > <Handler Realm=Backbone_Devices,Framed-Protocol=PPP>
> > RewriteUsername s/^([^@]+).*/$1/
> > <AuthBy GROUP>
> > <AuthBy PAM>
> > Fork
> > Service radiusd
> > </AuthBy>
> > </AuthBy>
> > AuthLog DSL_PPP_Login_Failures
> > # Log accounting to a detail file
> > AcctLogFileName %L/dsl_ppp_users
> > </Handler>
> >
> > This works for pap, but not for chap. Is this because CHAP is encytped
> > and
> > PAM needs the unecrypted? There is no note that says PAM cannot do
> > chap.
> >
> > Thanks,
> >
> > Mike Forbes
> >
> >
> > For chap I get the following output:
> >
> >
> >
> > Tue Oct 29 13:05:38 2002: DEBUG: Packet dump:
> > *** Received from x.y.z.v port 1645 ....
> > Code: Access-Request
> > Identifier: 103
> > Authentic: A:
> > Attributes:
> > Framed-Protocol = PPP
> > User-Name = "fred"
> > CHAP-Password = ]b%
> > NAS-Port = 1
> > NAS-Port-Type = Virtual
> > Service-Type = Framed-User
> > NAS-IP-Address = x.y.z.v
> >
> > Tue Oct 29 13:05:38 2002: DEBUG: Handling request with Handler
> > 'Realm=Backbone_Devices,Framed-Protocol=PPP'
> > Tue Oct 29 13:05:38 2002: DEBUG: Rewrote user name to fred
> > Tue Oct 29 13:05:38 2002: DEBUG: Deleting session for fred,
> > 128.138.82.198, 1
> > Tue Oct 29 13:05:38 2002: DEBUG: Handling with Radius::AuthGROUP
> > Tue Oct 29 13:05:38 2002: DEBUG: Handling with PAM service radiusd
> > Tue Oct 29 13:05:38 2002: DEBUG: PAM is asking for 1: 'Password'
> > Tue Oct 29 13:05:38 2002: DEBUG: PAM is asking for 1: 'Password for
> > fred at COLORADO.EDU'
> > Tue Oct 29 13:05:38 2002: DEBUG: PAM is asking for 1: 'Password for
> > fred at COLORADO.EDU'
> > Tue Oct 29 13:05:38 2002: INFO: Access rejected for fred:
> > Authentication failure:
> > Tue Oct 29 13:05:38 2002: DEBUG: Packet dump:
> > *** Sending to x.y.z.v port 1645 ....
> > Code: Access-Reject
> > Identifier: 103
> > Authentic: A:
> > Attributes:
> > Reply-Message = "Request Denied"
> >
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: I am travelling this week, so there may be delays in our
> correspondence.
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list