(RADIATOR) SSH + PAM + Radiator

Mike McCauley mikem at open.com.au
Mon Nov 8 23:04:06 CST 2004


On Tuesday 09 November 2004 14:01, Hugh Irvine wrote:
> Hello Sean -
>
> I'm afraid I don't know anything useful in this instance.
>
> Does anyone else on the list have any experience in this area?

I suspect that the PAM config for sshd does a test for whether the user is a 
valid Unix user on that box, and that test01 is not a valid unix user.

Sean, you should try logging in with a va;id username for that box and see if 
it behaves differently.

Cheers.

>
> regards
>
> Hugh
>
> On 9 Nov 2004, at 14:45, Sean Bofinger wrote:
> > Hi Hugh,
> >
> > The only thing I can find that gives a hint is the following in the
> > sshd
> > log
> >
> > Nov  9 13:39:35 monitor sshd[17160]: Illegal user test01 from 10.0.2.22
> > Nov  9 13:39:39 monitor sshd[17160]: Failed password for illegal user
> > test01 from 10.0.2.22 port 41663 ssh2
> >
> >
> > If I add the test01 user as a local user, the ssh connection just
> > stops.  It doesn't fail the connection or allow the user.
> >
> > Cheers
> > Sean
> >
> > On Tue, 2004-11-09 at 13:22, Hugh Irvine wrote:
> >> Hello Sean -
> >>
> >> Thanks for sending the debug and so on.
> >>
> >> As you can see, the username that is received by Radiator is "NOUSER",
> >> not "test01".
> >>
> >> The NAS-Identifier in the request is "sshd", but it is not obvious to
> >> me whether it is sshd or pam that is sending "NOUSER".
> >>
> >> I think you will need to check both the sshd log and the pam log, then
> >> check the corresponding documentation.
> >>
> >> regards
> >>
> >> Hugh
> >>
> >> On 9 Nov 2004, at 14:02, Sean Bofinger wrote:
> >>> Hi,
> >>>
> >>> I am trying to authenticate ssh users through radiator and am having
> >>> some problems.  No users are being authenticated.  I created a user
> >>> test01 in the radmin screen, but when i try to log into the box using
> >>> this users, it get the following error in the radiator logfile
> >>>
> >>> -------------------------------------------------
> >>>
> >>> *** Received from 127.0.0.1 port 11280 ....
> >>> Code:       Access-Request
> >>> Identifier: 42
> >>> Authentic:  C<132><201><241>,<141>J11<219><208><216>3@<160>{
> >>> Attributes:
> >>>         User-Name = "NOUSER"
> >>>         User-Password =
> >>> "<243><208><132>*<127>@*b<<159><16><132><18><240><229>j"
> >>>         NAS-IP-Address = 10.0.1.7
> >>>         NAS-Identifier = "sshd"
> >>>         NAS-Port = 10255
> >>>         NAS-Port-Type = Virtual
> >>>         Service-Type = Authenticate-Only
> >>>         Calling-Station-Id = "peregrine.office.lan"
> >>>
> >>> Tue Nov  9 11:49:40 2004: DEBUG: Handling request with Handler
> >>> 'Realm=DEFAULT'
> >>> Tue Nov  9 11:49:40 2004: DEBUG:  Deleting session for NOUSER,
> >>> 10.0.1.7, 10255
> >>> Tue Nov  9 11:49:40 2004: DEBUG: do query is: 'delete from RADONLINE
> >>> where NASIDENTIFIER='10.0.1.7' and NASPORT=010255':
> >>> Tue Nov  9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN
> >>> Tue Nov  9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN:
> >>> Tue Nov  9 11:49:40 2004: DEBUG: Query is: 'select PASS_WORD,
> >>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,
> >>> VALIDFROM,
> >>> VALIDTO from RADUSERS where USERNAME='NOUSER'':
> >>> Tue Nov  9 11:49:40 2004: DEBUG: Radius::AuthRADMIN looks for match
> >>> with NOUSER
> >>> Tue Nov  9 11:49:40 2004: INFO: Access rejected for NOUSER: No such
> >>> user
> >>> Tue Nov  9 11:49:40 2004: DEBUG: do query is: 'insert into RADAUTHLOG
> >>> (TIME_STAMP, USERNAME, TYPE, REASON) values (1099964980, 'NOUSER', 0,
> >>> 'No such user')':
> >>> Tue Nov  9 11:49:40 2004: DEBUG: Packet dump:
> >>> *** Sending to 127.0.0.1 port 11280 ....
> >>> Code:       Access-Reject
> >>> Identifier: 42
> >>> Authentic:  C<132><201><241>,<141>J11<219><208><216>3@<160>{
> >>> Attributes:
> >>>         Reply-Message = "Request Denied"
> >>>
> >>> ------------------------------------------------------------------
> >>> My /etc/pam.d/sshd file looks like
> >>>
> >>> #%PAM-1.0
> >>> #auth       required     pam_stack.so service=system-auth
> >>> #auth       required     pam_nologin.so
> >>> auth       sufficient   /lib/security/pam_radius_auth.so
> >>> account    sufficient   /lib/security/pam_radius_auth.so
> >>> #account    required     pam_stack.so service=system-auth
> >>> #password   required     pam_stack.so service=system-auth
> >>> #session    required     pam_stack.so service=system-auth
> >>> session    required     pam_limits.so
> >>> session    optional     pam_console.so
> >>>
> >>> -----------------------------------------------------------------
> >>>
> >>>
> >>> And the radius.cfg
> >>>
> >>> LogDir          /var/log/radius
> >>> DbDir           /etc/radiator
> >>>
> >>> Trace 4
> >>>
> >>> <Client DEFAULT>
> >>>         Secret  mysecret
> >>>         DupInterval 0
> >>> </Client>
> >>>
> >>> <ClientListSQL>
> >>>         DBSource        dbi:mysql:radmin:localhost
> >>>         DBUsername      radmin
> >>>         DBAuth          radminpw
> >>>
> >>>                                                      </ClientListSQL>
> >>>
> >>>
> >>> <Realm DEFAULT>
> >>>         <AuthBy RADMIN>
> >>>                 DBSource        dbi:mysql:radmin:localhost
> >>>                 DBUsername      radmin
> >>>                 DBAuth          radminpw
> >>>
> >>>                 NoDefault
> >>> 		 AccountingTable RADUSAGE
> >>>                 AcctColumnDef   USERNAME,User-Name
> >>>                 AcctColumnDef   TIME_STAMP,Timestamp,integer
> >>>                 AcctColumnDef
> >>> ACCTSTATUSTYPE,Acct-Status-Type,integer
> >>>                 AcctColumnDef   ACCTDELAYTIME,Acct-Delay-Time,integer
> >>>                 AcctColumnDef
> >>> ACCTINPUTOCTETS,Acct-Input-Octets,integer
> >>>                 AcctColumnDef
> >>> ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> >>>                 AcctColumnDef   ACCTSESSIONID,Acct-Session-Id
> >>>                 AcctColumnDef
> >>> ACCTSESSIONTIME,Acct-Session-Time,integer
> >>>                 AcctColumnDef
> >>> ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> >>>                 AcctColumnDef   FRAMEDIPADDRESS,Framed-IP-Address
> >>>                 AcctColumnDef   NASIDENTIFIER,NAS-IP-Address
> >>>                 AcctColumnDef   NASIDENTIFIER,NAS-Identifier
> >>>                 AcctColumnDef   NASPORT,NAS-Port,integer
> >>>                 AcctColumnDef   DNIS,Called-Station-Id
> >>> #               AcctColumnDef   CALLINGSTATIONID,Calling-Station-Id
> >>>
> >>>
> >>>                 AcctSQLStatement update RADUSERS set
> >>> TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
> >>> OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
> >>> OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where
> >>> USERNAME='%n'
> >>>                 AddToReply Framed-Protocol = PPP,\
> >>>                         Framed-IP-Netmask = 255.255.255.255,\
> >>>                         Framed-Routing = None,\
> >>>                         Framed-MTU = 1500,\
> >>>                         Framed-Compression = Van-Jacobson-TCP-IP
> >>>
> >>> 	</AuthBy>
> >>>
> >>>
> >>>         <AuthLog SQL>
> >>>
> >>>                 DBSource        dbi:mysql:radmin:localhost
> >>>                 DBUsername      radmin
> >>>                 DBAuth          radminpw
> >>>
> >>>                 LogSuccess
> >>>                 SuccessQuery insert into RADAUTHLOG (TIME_STAMP,
> >>> USERNAME, TYPE) values (%t, '%n', 1)
> >>>                 LogFailure
> >>>                 FailureQuery insert into RADAUTHLOG (TIME_STAMP,
> >>> USERNAME, TYPE, REASON) values (%t, '%n', 0, %1)
> >>>         </AuthLog>
> >>> </Realm>
> >>>
> >>> <SessionDatabase SQL>
> >>>         # This database spec usually should be exactly the same
> >>>         # as in <AuthBy RADMIN> above
> >>>         DBSource        dbi:mysql:radmin:localhost
> >>>         DBUsername      radmin
> >>>         DBAuth          radminpw
> >>>
> >>> </SessionDatabase>
> >>>
> >>> ------------------------------------------------
> >>>
> >>>
> >>> Any ideas?
> >>>
> >>>
> >>> Thanks in advance
> >>> Sean
> >>>
> >>>
> >>> --
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>
> >> NB: have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >
> > --
> > Sean Bofinger
> >
> > Systems and Network Administrator
> > Wotif.com
> > www.wotif.com
> >
> > t: +61 7 3512 9999
> > f: +61 7 3512 9900
> > e: sean.bofinger at wotif.com
> >
> > Wotif.com is the global specialist in last-minute accommodation.
> > Wotif.com's properties can be booked online or through our call centre
> > which operates 24 hours a day, 7 days a week.
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list