(RADIATOR) SSH + PAM + Radiator
Sean Bofinger
sean.bofinger at wotif.com
Mon Nov 8 21:45:00 CST 2004
Hi Hugh,
The only thing I can find that gives a hint is the following in the sshd
log
Nov 9 13:39:35 monitor sshd[17160]: Illegal user test01 from 10.0.2.22
Nov 9 13:39:39 monitor sshd[17160]: Failed password for illegal user test01 from 10.0.2.22 port 41663 ssh2
If I add the test01 user as a local user, the ssh connection just
stops. It doesn't fail the connection or allow the user.
Cheers
Sean
On Tue, 2004-11-09 at 13:22, Hugh Irvine wrote:
> Hello Sean -
>
> Thanks for sending the debug and so on.
>
> As you can see, the username that is received by Radiator is "NOUSER",
> not "test01".
>
> The NAS-Identifier in the request is "sshd", but it is not obvious to
> me whether it is sshd or pam that is sending "NOUSER".
>
> I think you will need to check both the sshd log and the pam log, then
> check the corresponding documentation.
>
> regards
>
> Hugh
>
>
>
> On 9 Nov 2004, at 14:02, Sean Bofinger wrote:
>
> > Hi,
> >
> > I am trying to authenticate ssh users through radiator and am having
> > some problems. No users are being authenticated. I created a user
> > test01 in the radmin screen, but when i try to log into the box using
> > this users, it get the following error in the radiator logfile
> >
> > -------------------------------------------------
> >
> > *** Received from 127.0.0.1 port 11280 ....
> > Code: Access-Request
> > Identifier: 42
> > Authentic: C<132><201><241>,<141>J11<219><208><216>3@<160>{
> > Attributes:
> > User-Name = "NOUSER"
> > User-Password =
> > "<243><208><132>*<127>@*b<<159><16><132><18><240><229>j"
> > NAS-IP-Address = 10.0.1.7
> > NAS-Identifier = "sshd"
> > NAS-Port = 10255
> > NAS-Port-Type = Virtual
> > Service-Type = Authenticate-Only
> > Calling-Station-Id = "peregrine.office.lan"
> >
> > Tue Nov 9 11:49:40 2004: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Tue Nov 9 11:49:40 2004: DEBUG: Deleting session for NOUSER,
> > 10.0.1.7, 10255
> > Tue Nov 9 11:49:40 2004: DEBUG: do query is: 'delete from RADONLINE
> > where NASIDENTIFIER='10.0.1.7' and NASPORT=010255':
> > Tue Nov 9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN
> > Tue Nov 9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN:
> > Tue Nov 9 11:49:40 2004: DEBUG: Query is: 'select PASS_WORD,
> > STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM,
> > VALIDTO from RADUSERS where USERNAME='NOUSER'':
> > Tue Nov 9 11:49:40 2004: DEBUG: Radius::AuthRADMIN looks for match
> > with NOUSER
> > Tue Nov 9 11:49:40 2004: INFO: Access rejected for NOUSER: No such
> > user
> > Tue Nov 9 11:49:40 2004: DEBUG: do query is: 'insert into RADAUTHLOG
> > (TIME_STAMP, USERNAME, TYPE, REASON) values (1099964980, 'NOUSER', 0,
> > 'No such user')':
> > Tue Nov 9 11:49:40 2004: DEBUG: Packet dump:
> > *** Sending to 127.0.0.1 port 11280 ....
> > Code: Access-Reject
> > Identifier: 42
> > Authentic: C<132><201><241>,<141>J11<219><208><216>3@<160>{
> > Attributes:
> > Reply-Message = "Request Denied"
> >
> > ------------------------------------------------------------------
> > My /etc/pam.d/sshd file looks like
> >
> > #%PAM-1.0
> > #auth required pam_stack.so service=system-auth
> > #auth required pam_nologin.so
> > auth sufficient /lib/security/pam_radius_auth.so
> > account sufficient /lib/security/pam_radius_auth.so
> > #account required pam_stack.so service=system-auth
> > #password required pam_stack.so service=system-auth
> > #session required pam_stack.so service=system-auth
> > session required pam_limits.so
> > session optional pam_console.so
> >
> > -----------------------------------------------------------------
> >
> >
> > And the radius.cfg
> >
> > LogDir /var/log/radius
> > DbDir /etc/radiator
> >
> > Trace 4
> >
> > <Client DEFAULT>
> > Secret mysecret
> > DupInterval 0
> > </Client>
> >
> > <ClientListSQL>
> > DBSource dbi:mysql:radmin:localhost
> > DBUsername radmin
> > DBAuth radminpw
> >
> > </ClientListSQL>
> >
> >
> > <Realm DEFAULT>
> > <AuthBy RADMIN>
> > DBSource dbi:mysql:radmin:localhost
> > DBUsername radmin
> > DBAuth radminpw
> >
> > NoDefault
> > AccountingTable RADUSAGE
> > AcctColumnDef USERNAME,User-Name
> > AcctColumnDef TIME_STAMP,Timestamp,integer
> > AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
> > AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> > AcctColumnDef
> > ACCTINPUTOCTETS,Acct-Input-Octets,integer
> > AcctColumnDef
> > ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> > AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> > AcctColumnDef
> > ACCTSESSIONTIME,Acct-Session-Time,integer
> > AcctColumnDef
> > ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> > AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> > AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> > AcctColumnDef NASIDENTIFIER,NAS-Identifier
> > AcctColumnDef NASPORT,NAS-Port,integer
> > AcctColumnDef DNIS,Called-Station-Id
> > # AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
> >
> >
> > AcctSQLStatement update RADUSERS set
> > TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
> > OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
> > OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
> > AddToReply Framed-Protocol = PPP,\
> > Framed-IP-Netmask = 255.255.255.255,\
> > Framed-Routing = None,\
> > Framed-MTU = 1500,\
> > Framed-Compression = Van-Jacobson-TCP-IP
> >
> > </AuthBy>
> >
> >
> > <AuthLog SQL>
> >
> > DBSource dbi:mysql:radmin:localhost
> > DBUsername radmin
> > DBAuth radminpw
> >
> > LogSuccess
> > SuccessQuery insert into RADAUTHLOG (TIME_STAMP,
> > USERNAME, TYPE) values (%t, '%n', 1)
> > LogFailure
> > FailureQuery insert into RADAUTHLOG (TIME_STAMP,
> > USERNAME, TYPE, REASON) values (%t, '%n', 0, %1)
> > </AuthLog>
> > </Realm>
> >
> > <SessionDatabase SQL>
> > # This database spec usually should be exactly the same
> > # as in <AuthBy RADMIN> above
> > DBSource dbi:mysql:radmin:localhost
> > DBUsername radmin
> > DBAuth radminpw
> >
> > </SessionDatabase>
> >
> > ------------------------------------------------
> >
> >
> > Any ideas?
> >
> >
> > Thanks in advance
> > Sean
> >
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
--
Sean Bofinger
Systems and Network Administrator
Wotif.com
www.wotif.com
t: +61 7 3512 9999
f: +61 7 3512 9900
e: sean.bofinger at wotif.com
Wotif.com is the global specialist in last-minute accommodation.
Wotif.com's properties can be booked online or through our call centre
which operates 24 hours a day, 7 days a week.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list