(RADIATOR) SSH + PAM + Radiator
Hugh Irvine
hugh at open.com.au
Mon Nov 8 22:01:35 CST 2004
Hello Sean -
I'm afraid I don't know anything useful in this instance.
Does anyone else on the list have any experience in this area?
regards
Hugh
On 9 Nov 2004, at 14:45, Sean Bofinger wrote:
> Hi Hugh,
>
> The only thing I can find that gives a hint is the following in the
> sshd
> log
>
> Nov 9 13:39:35 monitor sshd[17160]: Illegal user test01 from 10.0.2.22
> Nov 9 13:39:39 monitor sshd[17160]: Failed password for illegal user
> test01 from 10.0.2.22 port 41663 ssh2
>
>
> If I add the test01 user as a local user, the ssh connection just
> stops. It doesn't fail the connection or allow the user.
>
> Cheers
> Sean
> On Tue, 2004-11-09 at 13:22, Hugh Irvine wrote:
>> Hello Sean -
>>
>> Thanks for sending the debug and so on.
>>
>> As you can see, the username that is received by Radiator is "NOUSER",
>> not "test01".
>>
>> The NAS-Identifier in the request is "sshd", but it is not obvious to
>> me whether it is sshd or pam that is sending "NOUSER".
>>
>> I think you will need to check both the sshd log and the pam log, then
>> check the corresponding documentation.
>>
>> regards
>>
>> Hugh
>>
>>
>>
>> On 9 Nov 2004, at 14:02, Sean Bofinger wrote:
>>
>>> Hi,
>>>
>>> I am trying to authenticate ssh users through radiator and am having
>>> some problems. No users are being authenticated. I created a user
>>> test01 in the radmin screen, but when i try to log into the box using
>>> this users, it get the following error in the radiator logfile
>>>
>>> -------------------------------------------------
>>>
>>> *** Received from 127.0.0.1 port 11280 ....
>>> Code: Access-Request
>>> Identifier: 42
>>> Authentic: C<132><201><241>,<141>J11<219><208><216>3@<160>{
>>> Attributes:
>>> User-Name = "NOUSER"
>>> User-Password =
>>> "<243><208><132>*<127>@*b<<159><16><132><18><240><229>j"
>>> NAS-IP-Address = 10.0.1.7
>>> NAS-Identifier = "sshd"
>>> NAS-Port = 10255
>>> NAS-Port-Type = Virtual
>>> Service-Type = Authenticate-Only
>>> Calling-Station-Id = "peregrine.office.lan"
>>>
>>> Tue Nov 9 11:49:40 2004: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Tue Nov 9 11:49:40 2004: DEBUG: Deleting session for NOUSER,
>>> 10.0.1.7, 10255
>>> Tue Nov 9 11:49:40 2004: DEBUG: do query is: 'delete from RADONLINE
>>> where NASIDENTIFIER='10.0.1.7' and NASPORT=010255':
>>> Tue Nov 9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN
>>> Tue Nov 9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN:
>>> Tue Nov 9 11:49:40 2004: DEBUG: Query is: 'select PASS_WORD,
>>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,
>>> VALIDFROM,
>>> VALIDTO from RADUSERS where USERNAME='NOUSER'':
>>> Tue Nov 9 11:49:40 2004: DEBUG: Radius::AuthRADMIN looks for match
>>> with NOUSER
>>> Tue Nov 9 11:49:40 2004: INFO: Access rejected for NOUSER: No such
>>> user
>>> Tue Nov 9 11:49:40 2004: DEBUG: do query is: 'insert into RADAUTHLOG
>>> (TIME_STAMP, USERNAME, TYPE, REASON) values (1099964980, 'NOUSER', 0,
>>> 'No such user')':
>>> Tue Nov 9 11:49:40 2004: DEBUG: Packet dump:
>>> *** Sending to 127.0.0.1 port 11280 ....
>>> Code: Access-Reject
>>> Identifier: 42
>>> Authentic: C<132><201><241>,<141>J11<219><208><216>3@<160>{
>>> Attributes:
>>> Reply-Message = "Request Denied"
>>>
>>> ------------------------------------------------------------------
>>> My /etc/pam.d/sshd file looks like
>>>
>>> #%PAM-1.0
>>> #auth required pam_stack.so service=system-auth
>>> #auth required pam_nologin.so
>>> auth sufficient /lib/security/pam_radius_auth.so
>>> account sufficient /lib/security/pam_radius_auth.so
>>> #account required pam_stack.so service=system-auth
>>> #password required pam_stack.so service=system-auth
>>> #session required pam_stack.so service=system-auth
>>> session required pam_limits.so
>>> session optional pam_console.so
>>>
>>> -----------------------------------------------------------------
>>>
>>>
>>> And the radius.cfg
>>>
>>> LogDir /var/log/radius
>>> DbDir /etc/radiator
>>>
>>> Trace 4
>>>
>>> <Client DEFAULT>
>>> Secret mysecret
>>> DupInterval 0
>>> </Client>
>>>
>>> <ClientListSQL>
>>> DBSource dbi:mysql:radmin:localhost
>>> DBUsername radmin
>>> DBAuth radminpw
>>>
>>> </ClientListSQL>
>>>
>>>
>>> <Realm DEFAULT>
>>> <AuthBy RADMIN>
>>> DBSource dbi:mysql:radmin:localhost
>>> DBUsername radmin
>>> DBAuth radminpw
>>>
>>> NoDefault
>>> AccountingTable RADUSAGE
>>> AcctColumnDef USERNAME,User-Name
>>> AcctColumnDef TIME_STAMP,Timestamp,integer
>>> AcctColumnDef
>>> ACCTSTATUSTYPE,Acct-Status-Type,integer
>>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>>> AcctColumnDef
>>> ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>> AcctColumnDef
>>> ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>>> AcctColumnDef
>>> ACCTSESSIONTIME,Acct-Session-Time,integer
>>> AcctColumnDef
>>> ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
>>> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>>> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
>>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
>>> AcctColumnDef NASPORT,NAS-Port,integer
>>> AcctColumnDef DNIS,Called-Station-Id
>>> # AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
>>>
>>>
>>> AcctSQLStatement update RADUSERS set
>>> TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
>>> OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
>>> OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where
>>> USERNAME='%n'
>>> AddToReply Framed-Protocol = PPP,\
>>> Framed-IP-Netmask = 255.255.255.255,\
>>> Framed-Routing = None,\
>>> Framed-MTU = 1500,\
>>> Framed-Compression = Van-Jacobson-TCP-IP
>>>
>>> </AuthBy>
>>>
>>>
>>> <AuthLog SQL>
>>>
>>> DBSource dbi:mysql:radmin:localhost
>>> DBUsername radmin
>>> DBAuth radminpw
>>>
>>> LogSuccess
>>> SuccessQuery insert into RADAUTHLOG (TIME_STAMP,
>>> USERNAME, TYPE) values (%t, '%n', 1)
>>> LogFailure
>>> FailureQuery insert into RADAUTHLOG (TIME_STAMP,
>>> USERNAME, TYPE, REASON) values (%t, '%n', 0, %1)
>>> </AuthLog>
>>> </Realm>
>>>
>>> <SessionDatabase SQL>
>>> # This database spec usually should be exactly the same
>>> # as in <AuthBy RADMIN> above
>>> DBSource dbi:mysql:radmin:localhost
>>> DBUsername radmin
>>> DBAuth radminpw
>>>
>>> </SessionDatabase>
>>>
>>> ------------------------------------------------
>>>
>>>
>>> Any ideas?
>>>
>>>
>>> Thanks in advance
>>> Sean
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
> --
> Sean Bofinger
>
> Systems and Network Administrator
> Wotif.com
> www.wotif.com
>
> t: +61 7 3512 9999
> f: +61 7 3512 9900
> e: sean.bofinger at wotif.com
>
> Wotif.com is the global specialist in last-minute accommodation.
> Wotif.com's properties can be booked online or through our call centre
> which operates 24 hours a day, 7 days a week.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list