(RADIATOR) SSH + PAM + Radiator

Hugh Irvine hugh at open.com.au
Mon Nov 8 21:22:38 CST 2004 

Hello Sean -

Thanks for sending the debug and so on.

As you can see, the username that is received by Radiator is "NOUSER", 
not "test01".

The NAS-Identifier in the request is "sshd", but it is not obvious to 
me whether it is sshd or pam that is sending "NOUSER".

I think you will need to check both the sshd log and the pam log, then 
check the corresponding documentation.

regards

Hugh



On 9 Nov 2004, at 14:02, Sean Bofinger wrote:

> Hi,
>
> I am trying to authenticate ssh users through radiator and am having
> some problems.  No users are being authenticated.  I created a user
> test01 in the radmin screen, but when i try to log into the box using
> this users, it get the following error in the radiator logfile
>
> -------------------------------------------------
>
> *** Received from 127.0.0.1 port 11280 ....
> Code:       Access-Request
> Identifier: 42
> Authentic:  C<132><201><241>,<141>J11<219><208><216>3@<160>{
> Attributes:
>         User-Name = "NOUSER"
>         User-Password = 
> "<243><208><132>*<127>@*b<<159><16><132><18><240><229>j"
>         NAS-IP-Address = 10.0.1.7
>         NAS-Identifier = "sshd"
>         NAS-Port = 10255
>         NAS-Port-Type = Virtual
>         Service-Type = Authenticate-Only
>         Calling-Station-Id = "peregrine.office.lan"
>
> Tue Nov  9 11:49:40 2004: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Tue Nov  9 11:49:40 2004: DEBUG:  Deleting session for NOUSER, 
> 10.0.1.7, 10255
> Tue Nov  9 11:49:40 2004: DEBUG: do query is: 'delete from RADONLINE 
> where NASIDENTIFIER='10.0.1.7' and NASPORT=010255':
> Tue Nov  9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN
> Tue Nov  9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN:
> Tue Nov  9 11:49:40 2004: DEBUG: Query is: 'select PASS_WORD, 
> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM, 
> VALIDTO from RADUSERS where USERNAME='NOUSER'':
> Tue Nov  9 11:49:40 2004: DEBUG: Radius::AuthRADMIN looks for match 
> with NOUSER
> Tue Nov  9 11:49:40 2004: INFO: Access rejected for NOUSER: No such 
> user
> Tue Nov  9 11:49:40 2004: DEBUG: do query is: 'insert into RADAUTHLOG 
> (TIME_STAMP, USERNAME, TYPE, REASON) values (1099964980, 'NOUSER', 0, 
> 'No such user')':
> Tue Nov  9 11:49:40 2004: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 11280 ....
> Code:       Access-Reject
> Identifier: 42
> Authentic:  C<132><201><241>,<141>J11<219><208><216>3@<160>{
> Attributes:
>         Reply-Message = "Request Denied"
>
> ------------------------------------------------------------------
> My /etc/pam.d/sshd file looks like
>
> #%PAM-1.0
> #auth       required     pam_stack.so service=system-auth
> #auth       required     pam_nologin.so
> auth       sufficient   /lib/security/pam_radius_auth.so
> account    sufficient   /lib/security/pam_radius_auth.so
> #account    required     pam_stack.so service=system-auth
> #password   required     pam_stack.so service=system-auth
> #session    required     pam_stack.so service=system-auth
> session    required     pam_limits.so
> session    optional     pam_console.so
>
> -----------------------------------------------------------------
>
>
> And the radius.cfg
>
> LogDir          /var/log/radius
> DbDir           /etc/radiator
>
> Trace 4
>
> <Client DEFAULT>
>         Secret  mysecret
>         DupInterval 0
> </Client>
>
> <ClientListSQL>
>         DBSource        dbi:mysql:radmin:localhost
>         DBUsername      radmin
>         DBAuth          radminpw
>                                                                        
>                                                      </ClientListSQL>
>                                                                        
>                                                                       
> <Realm DEFAULT>
>         <AuthBy RADMIN>
>                 DBSource        dbi:mysql:radmin:localhost
>                 DBUsername      radmin
>                 DBAuth          radminpw
>
>                 NoDefault
> 		 AccountingTable RADUSAGE
>                 AcctColumnDef   USERNAME,User-Name
>                 AcctColumnDef   TIME_STAMP,Timestamp,integer
>                 AcctColumnDef   ACCTSTATUSTYPE,Acct-Status-Type,integer
>                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>                 AcctColumnDef   
> ACCTINPUTOCTETS,Acct-Input-Octets,integer
>                 AcctColumnDef   
> ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>                 AcctColumnDef   
> ACCTSESSIONTIME,Acct-Session-Time,integer
>                 AcctColumnDef   
> ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
>                 AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>                 AcctColumnDef   NASIDENTIFIER,NAS-IP-Address
>                 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>                 AcctColumnDef   NASPORT,NAS-Port,integer
>                 AcctColumnDef   DNIS,Called-Station-Id
> #               AcctColumnDef   CALLINGSTATIONID,Calling-Station-Id
>
>
>                 AcctSQLStatement update RADUSERS set 
> TIMELEFT=TIMELEFT-0%{Acct-Session-Time}, 
> OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets}, 
> OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
>                 AddToReply Framed-Protocol = PPP,\
>                         Framed-IP-Netmask = 255.255.255.255,\
>                         Framed-Routing = None,\
>                         Framed-MTU = 1500,\
>                         Framed-Compression = Van-Jacobson-TCP-IP
> 	
> 	</AuthBy>
>
>
>         <AuthLog SQL>
>
>                 DBSource        dbi:mysql:radmin:localhost
>                 DBUsername      radmin
>                 DBAuth          radminpw
>
>                 LogSuccess
>                 SuccessQuery insert into RADAUTHLOG (TIME_STAMP, 
> USERNAME, TYPE) values (%t, '%n', 1)
>                 LogFailure
>                 FailureQuery insert into RADAUTHLOG (TIME_STAMP, 
> USERNAME, TYPE, REASON) values (%t, '%n', 0, %1)
>         </AuthLog>
> </Realm>
>
> <SessionDatabase SQL>
>         # This database spec usually should be exactly the same
>         # as in <AuthBy RADMIN> above
>         DBSource        dbi:mysql:radmin:localhost
>         DBUsername      radmin
>         DBAuth          radminpw
>
> </SessionDatabase>
>
> ------------------------------------------------
>
>
> Any ideas?
>
>
> Thanks in advance
> Sean
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list