(RADIATOR) CHAP with AuthbyPAM Question

Hugh Irvine hugh at open.com.au
Tue Oct 29 21:19:05 CST 2002 

Hello Mike -

I think your only option is PAP.

regards

Hugh


On Wednesday, October 30, 2002, at 01:21 PM, Forbes Mike wrote:

>
> We are using auth by pam to access krb5.  So it needs to associate a
> unencrypted password to the username to query the krb server for a 
> ticket.
> Should that work, and if not, what are my options?
>
> Mike
>
> On Wed, 30 Oct 2002, Hugh Irvine wrote:
>
>>
>> Hello Mike -
>>
>> It depends on what format the stored passwords are that PAM is 
>> refering
>> to.
>>
>> If the passwords are encrypted, you cannot use CHAP.
>>
>> regards
>>
>> Hugh
>>
>>
>> On Wednesday, October 30, 2002, at 07:45 AM, Forbes Mike wrote:
>>
>>>
>>> I am testing chap authentication with Radiator.  Currently I do the
>>> following:
>>>
>>> <Handler Realm=Backbone_Devices,Framed-Protocol=PPP>
>>> RewriteUsername s/^([^@]+).*/$1/
>>>         <AuthBy GROUP>
>>>                 <AuthBy PAM>
>>>                         Fork
>>>                         Service radiusd
>>>                 </AuthBy>
>>>         </AuthBy>
>>>         AuthLog DSL_PPP_Login_Failures
>>>        # Log accounting to a detail file
>>>         AcctLogFileName %L/dsl_ppp_users
>>> </Handler>
>>>
>>> This works for pap, but not for chap. Is this because CHAP is 
>>> encytped
>>> and
>>> PAM needs the unecrypted? There is no note that says PAM cannot do
>>> chap.
>>>
>>> Thanks,
>>>
>>> Mike Forbes
>>>
>>>
>>> For chap I get the following output:
>>>
>>>
>>>
>>> Tue Oct 29 13:05:38 2002: DEBUG: Packet dump:
>>> *** Received from x.y.z.v port 1645 ....
>>> Code:       Access-Request
>>> Identifier: 103
>>> Authentic:  A:
>>> Attributes:
>>>         Framed-Protocol = PPP
>>>         User-Name = "fred"
>>>         CHAP-Password = ]b%
>>>         NAS-Port = 1
>>>         NAS-Port-Type = Virtual
>>>         Service-Type = Framed-User
>>>         NAS-IP-Address = x.y.z.v
>>>
>>> Tue Oct 29 13:05:38 2002: DEBUG: Handling request with Handler
>>> 'Realm=Backbone_Devices,Framed-Protocol=PPP'
>>> Tue Oct 29 13:05:38 2002: DEBUG: Rewrote user name to fred
>>> Tue Oct 29 13:05:38 2002: DEBUG:  Deleting session for fred,
>>> 128.138.82.198, 1
>>> Tue Oct 29 13:05:38 2002: DEBUG: Handling with Radius::AuthGROUP
>>> Tue Oct 29 13:05:38 2002: DEBUG: Handling with PAM service radiusd
>>> Tue Oct 29 13:05:38 2002: DEBUG: PAM is asking for 1: 'Password'
>>> Tue Oct 29 13:05:38 2002: DEBUG: PAM is asking for 1: 'Password for
>>> fred at COLORADO.EDU'
>>> Tue Oct 29 13:05:38 2002: DEBUG: PAM is asking for 1: 'Password for
>>> fred at COLORADO.EDU'
>>> Tue Oct 29 13:05:38 2002: INFO: Access rejected for fred:
>>> Authentication failure:
>>> Tue Oct 29 13:05:38 2002: DEBUG: Packet dump:
>>> *** Sending to x.y.z.v port 1645 ....
>>> Code:       Access-Reject
>>> Identifier: 103
>>> Authentic:  A:
>>> Attributes:
>>>         Reply-Message = "Request Denied"
>>>
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: I am travelling this week, so there may be delays in our
>> correspondence.
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>>
>> ===
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>
>
>

NB: I am travelling this week, so there may be delays in our 
correspondence.

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list