(RADIATOR) CHAP with AuthbyPAM Question
Hugh Irvine
hugh at open.com.au
Tue Oct 29 21:19:05 CST 2002
Hello Mike -
I think your only option is PAP.
regards
Hugh
On Wednesday, October 30, 2002, at 01:21 PM, Forbes Mike wrote:
>
> We are using auth by pam to access krb5. So it needs to associate a
> unencrypted password to the username to query the krb server for a
> ticket.
> Should that work, and if not, what are my options?
>
> Mike
>
> On Wed, 30 Oct 2002, Hugh Irvine wrote:
>
>>
>> Hello Mike -
>>
>> It depends on what format the stored passwords are that PAM is
>> refering
>> to.
>>
>> If the passwords are encrypted, you cannot use CHAP.
>>
>> regards
>>
>> Hugh
>>
>>
>> On Wednesday, October 30, 2002, at 07:45 AM, Forbes Mike wrote:
>>
>>>
>>> I am testing chap authentication with Radiator. Currently I do the
>>> following:
>>>
>>> <Handler Realm=Backbone_Devices,Framed-Protocol=PPP>
>>> RewriteUsername s/^([^@]+).*/$1/
>>> <AuthBy GROUP>
>>> <AuthBy PAM>
>>> Fork
>>> Service radiusd
>>> </AuthBy>
>>> </AuthBy>
>>> AuthLog DSL_PPP_Login_Failures
>>> # Log accounting to a detail file
>>> AcctLogFileName %L/dsl_ppp_users
>>> </Handler>
>>>
>>> This works for pap, but not for chap. Is this because CHAP is
>>> encytped
>>> and
>>> PAM needs the unecrypted? There is no note that says PAM cannot do
>>> chap.
>>>
>>> Thanks,
>>>
>>> Mike Forbes
>>>
>>>
>>> For chap I get the following output:
>>>
>>>
>>>
>>> Tue Oct 29 13:05:38 2002: DEBUG: Packet dump:
>>> *** Received from x.y.z.v port 1645 ....
>>> Code: Access-Request
>>> Identifier: 103
>>> Authentic: A:
>>> Attributes:
>>> Framed-Protocol = PPP
>>> User-Name = "fred"
>>> CHAP-Password = ]b%
>>> NAS-Port = 1
>>> NAS-Port-Type = Virtual
>>> Service-Type = Framed-User
>>> NAS-IP-Address = x.y.z.v
>>>
>>> Tue Oct 29 13:05:38 2002: DEBUG: Handling request with Handler
>>> 'Realm=Backbone_Devices,Framed-Protocol=PPP'
>>> Tue Oct 29 13:05:38 2002: DEBUG: Rewrote user name to fred
>>> Tue Oct 29 13:05:38 2002: DEBUG: Deleting session for fred,
>>> 128.138.82.198, 1
>>> Tue Oct 29 13:05:38 2002: DEBUG: Handling with Radius::AuthGROUP
>>> Tue Oct 29 13:05:38 2002: DEBUG: Handling with PAM service radiusd
>>> Tue Oct 29 13:05:38 2002: DEBUG: PAM is asking for 1: 'Password'
>>> Tue Oct 29 13:05:38 2002: DEBUG: PAM is asking for 1: 'Password for
>>> fred at COLORADO.EDU'
>>> Tue Oct 29 13:05:38 2002: DEBUG: PAM is asking for 1: 'Password for
>>> fred at COLORADO.EDU'
>>> Tue Oct 29 13:05:38 2002: INFO: Access rejected for fred:
>>> Authentication failure:
>>> Tue Oct 29 13:05:38 2002: DEBUG: Packet dump:
>>> *** Sending to x.y.z.v port 1645 ....
>>> Code: Access-Reject
>>> Identifier: 103
>>> Authentic: A:
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>>
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: I am travelling this week, so there may be delays in our
>> correspondence.
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>
>
>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list