(RADIATOR) SSH + PAM + Radiator
Sean Bofinger
sean.bofinger at wotif.com
Mon Nov 8 21:02:55 CST 2004
Hi,
I am trying to authenticate ssh users through radiator and am having
some problems. No users are being authenticated. I created a user
test01 in the radmin screen, but when i try to log into the box using
this users, it get the following error in the radiator logfile
-------------------------------------------------
*** Received from 127.0.0.1 port 11280 ....
Code: Access-Request
Identifier: 42
Authentic: C<132><201><241>,<141>J11<219><208><216>3@<160>{
Attributes:
User-Name = "NOUSER"
User-Password = "<243><208><132>*<127>@*b<<159><16><132><18><240><229>j"
NAS-IP-Address = 10.0.1.7
NAS-Identifier = "sshd"
NAS-Port = 10255
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "peregrine.office.lan"
Tue Nov 9 11:49:40 2004: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Tue Nov 9 11:49:40 2004: DEBUG: Deleting session for NOUSER, 10.0.1.7, 10255
Tue Nov 9 11:49:40 2004: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='10.0.1.7' and NASPORT=010255':
Tue Nov 9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN
Tue Nov 9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN:
Tue Nov 9 11:49:40 2004: DEBUG: Query is: 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where USERNAME='NOUSER'':
Tue Nov 9 11:49:40 2004: DEBUG: Radius::AuthRADMIN looks for match with NOUSER
Tue Nov 9 11:49:40 2004: INFO: Access rejected for NOUSER: No such user
Tue Nov 9 11:49:40 2004: DEBUG: do query is: 'insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON) values (1099964980, 'NOUSER', 0, 'No such user')':
Tue Nov 9 11:49:40 2004: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 11280 ....
Code: Access-Reject
Identifier: 42
Authentic: C<132><201><241>,<141>J11<219><208><216>3@<160>{
Attributes:
Reply-Message = "Request Denied"
------------------------------------------------------------------
My /etc/pam.d/sshd file looks like
#%PAM-1.0
#auth required pam_stack.so service=system-auth
#auth required pam_nologin.so
auth sufficient /lib/security/pam_radius_auth.so
account sufficient /lib/security/pam_radius_auth.so
#account required pam_stack.so service=system-auth
#password required pam_stack.so service=system-auth
#session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
-----------------------------------------------------------------
And the radius.cfg
LogDir /var/log/radius
DbDir /etc/radiator
Trace 4
<Client DEFAULT>
Secret mysecret
DupInterval 0
</Client>
<ClientListSQL>
DBSource dbi:mysql:radmin:localhost
DBUsername radmin
DBAuth radminpw
</ClientListSQL>
<Realm DEFAULT>
<AuthBy RADMIN>
DBSource dbi:mysql:radmin:localhost
DBUsername radmin
DBAuth radminpw
NoDefault
AccountingTable RADUSAGE
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef DNIS,Called-Station-Id
# AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
AcctSQLStatement update RADUSERS set TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets}, OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
AddToReply Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
</AuthBy>
<AuthLog SQL>
DBSource dbi:mysql:radmin:localhost
DBUsername radmin
DBAuth radminpw
LogSuccess
SuccessQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE) values (%t, '%n', 1)
LogFailure
FailureQuery insert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON) values (%t, '%n', 0, %1)
</AuthLog>
</Realm>
<SessionDatabase SQL>
# This database spec usually should be exactly the same
# as in <AuthBy RADMIN> above
DBSource dbi:mysql:radmin:localhost
DBUsername radmin
DBAuth radminpw
</SessionDatabase>
------------------------------------------------
Any ideas?
Thanks in advance
Sean
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list