(RADIATOR) SSH + PAM + Radiator

Hugh Irvine hugh at open.com.au
Mon Nov 8 22:01:35 CST 2004


Hello Sean -

I'm afraid I don't know anything useful in this instance.

Does anyone else on the list have any experience in this area?

regards

Hugh


On 9 Nov 2004, at 14:45, Sean Bofinger wrote:

> Hi Hugh,
>
> The only thing I can find that gives a hint is the following in the 
> sshd
> log
>
> Nov  9 13:39:35 monitor sshd[17160]: Illegal user test01 from 10.0.2.22
> Nov  9 13:39:39 monitor sshd[17160]: Failed password for illegal user 
> test01 from 10.0.2.22 port 41663 ssh2
>
>
> If I add the test01 user as a local user, the ssh connection just
> stops.  It doesn't fail the connection or allow the user.
>
> Cheers
> Sean
> On Tue, 2004-11-09 at 13:22, Hugh Irvine wrote:
>> Hello Sean -
>>
>> Thanks for sending the debug and so on.
>>
>> As you can see, the username that is received by Radiator is "NOUSER",
>> not "test01".
>>
>> The NAS-Identifier in the request is "sshd", but it is not obvious to
>> me whether it is sshd or pam that is sending "NOUSER".
>>
>> I think you will need to check both the sshd log and the pam log, then
>> check the corresponding documentation.
>>
>> regards
>>
>> Hugh
>>
>>
>>
>> On 9 Nov 2004, at 14:02, Sean Bofinger wrote:
>>
>>> Hi,
>>>
>>> I am trying to authenticate ssh users through radiator and am having
>>> some problems.  No users are being authenticated.  I created a user
>>> test01 in the radmin screen, but when i try to log into the box using
>>> this users, it get the following error in the radiator logfile
>>>
>>> -------------------------------------------------
>>>
>>> *** Received from 127.0.0.1 port 11280 ....
>>> Code:       Access-Request
>>> Identifier: 42
>>> Authentic:  C<132><201><241>,<141>J11<219><208><216>3@<160>{
>>> Attributes:
>>>         User-Name = "NOUSER"
>>>         User-Password =
>>> "<243><208><132>*<127>@*b<<159><16><132><18><240><229>j"
>>>         NAS-IP-Address = 10.0.1.7
>>>         NAS-Identifier = "sshd"
>>>         NAS-Port = 10255
>>>         NAS-Port-Type = Virtual
>>>         Service-Type = Authenticate-Only
>>>         Calling-Station-Id = "peregrine.office.lan"
>>>
>>> Tue Nov  9 11:49:40 2004: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Tue Nov  9 11:49:40 2004: DEBUG:  Deleting session for NOUSER,
>>> 10.0.1.7, 10255
>>> Tue Nov  9 11:49:40 2004: DEBUG: do query is: 'delete from RADONLINE
>>> where NASIDENTIFIER='10.0.1.7' and NASPORT=010255':
>>> Tue Nov  9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN
>>> Tue Nov  9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN:
>>> Tue Nov  9 11:49:40 2004: DEBUG: Query is: 'select PASS_WORD,
>>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, 
>>> VALIDFROM,
>>> VALIDTO from RADUSERS where USERNAME='NOUSER'':
>>> Tue Nov  9 11:49:40 2004: DEBUG: Radius::AuthRADMIN looks for match
>>> with NOUSER
>>> Tue Nov  9 11:49:40 2004: INFO: Access rejected for NOUSER: No such
>>> user
>>> Tue Nov  9 11:49:40 2004: DEBUG: do query is: 'insert into RADAUTHLOG
>>> (TIME_STAMP, USERNAME, TYPE, REASON) values (1099964980, 'NOUSER', 0,
>>> 'No such user')':
>>> Tue Nov  9 11:49:40 2004: DEBUG: Packet dump:
>>> *** Sending to 127.0.0.1 port 11280 ....
>>> Code:       Access-Reject
>>> Identifier: 42
>>> Authentic:  C<132><201><241>,<141>J11<219><208><216>3@<160>{
>>> Attributes:
>>>         Reply-Message = "Request Denied"
>>>
>>> ------------------------------------------------------------------
>>> My /etc/pam.d/sshd file looks like
>>>
>>> #%PAM-1.0
>>> #auth       required     pam_stack.so service=system-auth
>>> #auth       required     pam_nologin.so
>>> auth       sufficient   /lib/security/pam_radius_auth.so
>>> account    sufficient   /lib/security/pam_radius_auth.so
>>> #account    required     pam_stack.so service=system-auth
>>> #password   required     pam_stack.so service=system-auth
>>> #session    required     pam_stack.so service=system-auth
>>> session    required     pam_limits.so
>>> session    optional     pam_console.so
>>>
>>> -----------------------------------------------------------------
>>>
>>>
>>> And the radius.cfg
>>>
>>> LogDir          /var/log/radius
>>> DbDir           /etc/radiator
>>>
>>> Trace 4
>>>
>>> <Client DEFAULT>
>>>         Secret  mysecret
>>>         DupInterval 0
>>> </Client>
>>>
>>> <ClientListSQL>
>>>         DBSource        dbi:mysql:radmin:localhost
>>>         DBUsername      radmin
>>>         DBAuth          radminpw
>>>
>>>                                                      </ClientListSQL>
>>>
>>>
>>> <Realm DEFAULT>
>>>         <AuthBy RADMIN>
>>>                 DBSource        dbi:mysql:radmin:localhost
>>>                 DBUsername      radmin
>>>                 DBAuth          radminpw
>>>
>>>                 NoDefault
>>> 		 AccountingTable RADUSAGE
>>>                 AcctColumnDef   USERNAME,User-Name
>>>                 AcctColumnDef   TIME_STAMP,Timestamp,integer
>>>                 AcctColumnDef   
>>> ACCTSTATUSTYPE,Acct-Status-Type,integer
>>>                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
>>>                 AcctColumnDef
>>> ACCTINPUTOCTETS,Acct-Input-Octets,integer
>>>                 AcctColumnDef
>>> ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>>>                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
>>>                 AcctColumnDef
>>> ACCTSESSIONTIME,Acct-Session-Time,integer
>>>                 AcctColumnDef
>>> ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
>>>                 AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
>>>                 AcctColumnDef   NASIDENTIFIER,NAS-IP-Address
>>>                 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
>>>                 AcctColumnDef   NASPORT,NAS-Port,integer
>>>                 AcctColumnDef   DNIS,Called-Station-Id
>>> #               AcctColumnDef   CALLINGSTATIONID,Calling-Station-Id
>>>
>>>
>>>                 AcctSQLStatement update RADUSERS set
>>> TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
>>> OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
>>> OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where 
>>> USERNAME='%n'
>>>                 AddToReply Framed-Protocol = PPP,\
>>>                         Framed-IP-Netmask = 255.255.255.255,\
>>>                         Framed-Routing = None,\
>>>                         Framed-MTU = 1500,\
>>>                         Framed-Compression = Van-Jacobson-TCP-IP
>>> 	
>>> 	</AuthBy>
>>>
>>>
>>>         <AuthLog SQL>
>>>
>>>                 DBSource        dbi:mysql:radmin:localhost
>>>                 DBUsername      radmin
>>>                 DBAuth          radminpw
>>>
>>>                 LogSuccess
>>>                 SuccessQuery insert into RADAUTHLOG (TIME_STAMP,
>>> USERNAME, TYPE) values (%t, '%n', 1)
>>>                 LogFailure
>>>                 FailureQuery insert into RADAUTHLOG (TIME_STAMP,
>>> USERNAME, TYPE, REASON) values (%t, '%n', 0, %1)
>>>         </AuthLog>
>>> </Realm>
>>>
>>> <SessionDatabase SQL>
>>>         # This database spec usually should be exactly the same
>>>         # as in <AuthBy RADMIN> above
>>>         DBSource        dbi:mysql:radmin:localhost
>>>         DBUsername      radmin
>>>         DBAuth          radminpw
>>>
>>> </SessionDatabase>
>>>
>>> ------------------------------------------------
>>>
>>>
>>> Any ideas?
>>>
>>>
>>> Thanks in advance
>>> Sean
>>>
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
> -- 
> Sean Bofinger
>
> Systems and Network Administrator
> Wotif.com
> www.wotif.com
>
> t: +61 7 3512 9999
> f: +61 7 3512 9900
> e: sean.bofinger at wotif.com
>
> Wotif.com is the global specialist in last-minute accommodation.
> Wotif.com's properties can be booked online or through our call centre
> which operates 24 hours a day, 7 days a week.
>
>

NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive 
(www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list