(RADIATOR) SSH + PAM + Radiator
Sean Bofinger
sean.bofinger at wotif.com
Mon Nov 8 23:42:35 CST 2004
Well, I have finally figured it out. Mike, you were right about ssh
passing the NOUSER name if there is no valid local user. To get the
pam_radius_auth module to work, I had to add change my
/etc/pam.d/system-auth to the following
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
#added for radiator
auth sufficient /lib/security/pam_radius_auth.so debug
auth required /lib/security/$ISA/pam_deny.so
#added for radiator
account sufficient /lib/security/pam_radius_auth.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
This maybe just a red hat/fedora quirk. The system now authenticates against the radiator system.
Sean
On Tue, 2004-11-09 at 14:01, Hugh Irvine wrote:
> Hello Sean -
>
> I'm afraid I don't know anything useful in this instance.
>
> Does anyone else on the list have any experience in this area?
>
> regards
>
> Hugh
>
>
> On 9 Nov 2004, at 14:45, Sean Bofinger wrote:
>
> > Hi Hugh,
> >
> > The only thing I can find that gives a hint is the following in the
> > sshd
> > log
> >
> > Nov 9 13:39:35 monitor sshd[17160]: Illegal user test01 from 10.0.2.22
> > Nov 9 13:39:39 monitor sshd[17160]: Failed password for illegal user
> > test01 from 10.0.2.22 port 41663 ssh2
> >
> >
> > If I add the test01 user as a local user, the ssh connection just
> > stops. It doesn't fail the connection or allow the user.
> >
> > Cheers
> > Sean
> > On Tue, 2004-11-09 at 13:22, Hugh Irvine wrote:
> >> Hello Sean -
> >>
> >> Thanks for sending the debug and so on.
> >>
> >> As you can see, the username that is received by Radiator is "NOUSER",
> >> not "test01".
> >>
> >> The NAS-Identifier in the request is "sshd", but it is not obvious to
> >> me whether it is sshd or pam that is sending "NOUSER".
> >>
> >> I think you will need to check both the sshd log and the pam log, then
> >> check the corresponding documentation.
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >>
> >> On 9 Nov 2004, at 14:02, Sean Bofinger wrote:
> >>
> >>> Hi,
> >>>
> >>> I am trying to authenticate ssh users through radiator and am having
> >>> some problems. No users are being authenticated. I created a user
> >>> test01 in the radmin screen, but when i try to log into the box using
> >>> this users, it get the following error in the radiator logfile
> >>>
> >>> -------------------------------------------------
> >>>
> >>> *** Received from 127.0.0.1 port 11280 ....
> >>> Code: Access-Request
> >>> Identifier: 42
> >>> Authentic: C<132><201><241>,<141>J11<219><208><216>3@<160>{
> >>> Attributes:
> >>> User-Name = "NOUSER"
> >>> User-Password =
> >>> "<243><208><132>*<127>@*b<<159><16><132><18><240><229>j"
> >>> NAS-IP-Address = 10.0.1.7
> >>> NAS-Identifier = "sshd"
> >>> NAS-Port = 10255
> >>> NAS-Port-Type = Virtual
> >>> Service-Type = Authenticate-Only
> >>> Calling-Station-Id = "peregrine.office.lan"
> >>>
> >>> Tue Nov 9 11:49:40 2004: DEBUG: Handling request with Handler
> >>> 'Realm=DEFAULT'
> >>> Tue Nov 9 11:49:40 2004: DEBUG: Deleting session for NOUSER,
> >>> 10.0.1.7, 10255
> >>> Tue Nov 9 11:49:40 2004: DEBUG: do query is: 'delete from RADONLINE
> >>> where NASIDENTIFIER='10.0.1.7' and NASPORT=010255':
> >>> Tue Nov 9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN
> >>> Tue Nov 9 11:49:40 2004: DEBUG: Handling with Radius::AuthRADMIN:
> >>> Tue Nov 9 11:49:40 2004: DEBUG: Query is: 'select PASS_WORD,
> >>> STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS,
> >>> VALIDFROM,
> >>> VALIDTO from RADUSERS where USERNAME='NOUSER'':
> >>> Tue Nov 9 11:49:40 2004: DEBUG: Radius::AuthRADMIN looks for match
> >>> with NOUSER
> >>> Tue Nov 9 11:49:40 2004: INFO: Access rejected for NOUSER: No such
> >>> user
> >>> Tue Nov 9 11:49:40 2004: DEBUG: do query is: 'insert into RADAUTHLOG
> >>> (TIME_STAMP, USERNAME, TYPE, REASON) values (1099964980, 'NOUSER', 0,
> >>> 'No such user')':
> >>> Tue Nov 9 11:49:40 2004: DEBUG: Packet dump:
> >>> *** Sending to 127.0.0.1 port 11280 ....
> >>> Code: Access-Reject
> >>> Identifier: 42
> >>> Authentic: C<132><201><241>,<141>J11<219><208><216>3@<160>{
> >>> Attributes:
> >>> Reply-Message = "Request Denied"
> >>>
> >>> ------------------------------------------------------------------
> >>> My /etc/pam.d/sshd file looks like
> >>>
> >>> #%PAM-1.0
> >>> #auth required pam_stack.so service=system-auth
> >>> #auth required pam_nologin.so
> >>> auth sufficient /lib/security/pam_radius_auth.so
> >>> account sufficient /lib/security/pam_radius_auth.so
> >>> #account required pam_stack.so service=system-auth
> >>> #password required pam_stack.so service=system-auth
> >>> #session required pam_stack.so service=system-auth
> >>> session required pam_limits.so
> >>> session optional pam_console.so
> >>>
> >>> -----------------------------------------------------------------
> >>>
> >>>
> >>> And the radius.cfg
> >>>
> >>> LogDir /var/log/radius
> >>> DbDir /etc/radiator
> >>>
> >>> Trace 4
> >>>
> >>> <Client DEFAULT>
> >>> Secret mysecret
> >>> DupInterval 0
> >>> </Client>
> >>>
> >>> <ClientListSQL>
> >>> DBSource dbi:mysql:radmin:localhost
> >>> DBUsername radmin
> >>> DBAuth radminpw
> >>>
> >>> </ClientListSQL>
> >>>
> >>>
> >>> <Realm DEFAULT>
> >>> <AuthBy RADMIN>
> >>> DBSource dbi:mysql:radmin:localhost
> >>> DBUsername radmin
> >>> DBAuth radminpw
> >>>
> >>> NoDefault
> >>> AccountingTable RADUSAGE
> >>> AcctColumnDef USERNAME,User-Name
> >>> AcctColumnDef TIME_STAMP,Timestamp,integer
> >>> AcctColumnDef
> >>> ACCTSTATUSTYPE,Acct-Status-Type,integer
> >>> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> >>> AcctColumnDef
> >>> ACCTINPUTOCTETS,Acct-Input-Octets,integer
> >>> AcctColumnDef
> >>> ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> >>> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> >>> AcctColumnDef
> >>> ACCTSESSIONTIME,Acct-Session-Time,integer
> >>> AcctColumnDef
> >>> ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> >>> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> >>> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> >>> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> >>> AcctColumnDef NASPORT,NAS-Port,integer
> >>> AcctColumnDef DNIS,Called-Station-Id
> >>> # AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
> >>>
> >>>
> >>> AcctSQLStatement update RADUSERS set
> >>> TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
> >>> OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
> >>> OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where
> >>> USERNAME='%n'
> >>> AddToReply Framed-Protocol = PPP,\
> >>> Framed-IP-Netmask = 255.255.255.255,\
> >>> Framed-Routing = None,\
> >>> Framed-MTU = 1500,\
> >>> Framed-Compression = Van-Jacobson-TCP-IP
> >>>
> >>> </AuthBy>
> >>>
> >>>
> >>> <AuthLog SQL>
> >>>
> >>> DBSource dbi:mysql:radmin:localhost
> >>> DBUsername radmin
> >>> DBAuth radminpw
> >>>
> >>> LogSuccess
> >>> SuccessQuery insert into RADAUTHLOG (TIME_STAMP,
> >>> USERNAME, TYPE) values (%t, '%n', 1)
> >>> LogFailure
> >>> FailureQuery insert into RADAUTHLOG (TIME_STAMP,
> >>> USERNAME, TYPE, REASON) values (%t, '%n', 0, %1)
> >>> </AuthLog>
> >>> </Realm>
> >>>
> >>> <SessionDatabase SQL>
> >>> # This database spec usually should be exactly the same
> >>> # as in <AuthBy RADMIN> above
> >>> DBSource dbi:mysql:radmin:localhost
> >>> DBUsername radmin
> >>> DBAuth radminpw
> >>>
> >>> </SessionDatabase>
> >>>
> >>> ------------------------------------------------
> >>>
> >>>
> >>> Any ideas?
> >>>
> >>>
> >>> Thanks in advance
> >>> Sean
> >>>
> >>>
> >>> --
> >>> Archive at http://www.open.com.au/archives/radiator/
> >>> Announcements on radiator-announce at open.com.au
> >>> To unsubscribe, email 'majordomo at open.com.au' with
> >>> 'unsubscribe radiator' in the body of the message.
> >>>
> >>>
> >>
> >> NB: have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> > --
> > Sean Bofinger
> >
> > Systems and Network Administrator
> > Wotif.com
> > www.wotif.com
> >
> > t: +61 7 3512 9999
> > f: +61 7 3512 9900
> > e: sean.bofinger at wotif.com
> >
> > Wotif.com is the global specialist in last-minute accommodation.
> > Wotif.com's properties can be booked online or through our call centre
> > which operates 24 hours a day, 7 days a week.
> >
> >
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
--
Sean Bofinger
Systems and Network Administrator
Wotif.com
www.wotif.com
t: +61 7 3512 9999
f: +61 7 3512 9900
e: sean.bofinger at wotif.com
Wotif.com is the global specialist in last-minute accommodation.
Wotif.com's properties can be booked online or through our call centre
which operates 24 hours a day, 7 days a week.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list