[RADIATOR] pam_radius_auth x86_64 password garbled RHEL/CENTOS 5.8

Thu Mar 15 18:11:57 CDT 2012

On 03/14/2012 07:22 PM, Judd Maltin wrote:

> I'm kinda posting to the wrong list - but was hoping to hit a lot of
> RADIUS folks here.  I'm having a big pinch of trouble.
> 
> I'm compiling my pam_radius_auth on x86_64 source and getting the
> following in my logs - the password is showing ^M^?INCORRECT - that's
> totally wrong:

Looks like there are failures to sending to RADIUS server. Maybe they
are part of the problem.

Please see my comments below:

> Mar 14 12:57:29 app2 sshd[12858]: pam_radius_auth: Got user name
> jmaltin@<ip_removed_by_poster>
> Mar 14 12:57:29 app2 sshd[12858]: pam_radius_auth: Sending RADIUS request code 1
> Mar 14 12:57:29 app2 sshd[12858]: pam_radius_auth: DEBUG:
> getservbyname(radius, udp) returned 1005286112.
> Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: RADIUS server
> 127.0.0.1 failed to respond
> Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: DEBUG:
> get_ipaddr(Add) returned 0.
> Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Failed looking up
> IP address for RADIUS server Add (errcode=9)
> Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: DEBUG:
> getservbyname(radius, udp) returned 1005286112.
> Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Got RADIUS response code 3
> Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: authentication failed
> Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Got user name
> jmaltin@<removed_by_poster>
> Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Got password ^M^?INCORRECT

The comment in pam_radius_auth.c just before 'Got password ...' message
says:

/* grab the password (if any) from the previous authentication layer */

The call that grabs the password, in this case '^M^?INCORRECT', is
pam_get_item() where the item type is PAM_AUTHTOK. According to manual
page, this is the password from pam module stack.

http://linux.die.net/man/3/pam_get_item

So maybe this is a PAM configuration issue.

> Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: Sending RADIUS request code 1
> Mar 14 12:57:30 app2 sshd[12858]: pam_radius_auth: DEBUG:
> getservbyname(radius, udp) returned 1005286112.
> Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: RADIUS server
> 127.0.0.1 failed to respond
> Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: DEBUG:
> get_ipaddr(Add) returned 0.
> Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: Failed looking up
> IP address for RADIUS server Add (errcode=9)
> Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: DEBUG:
> getservbyname(radius, udp) returned 1005286112.
> Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: Got RADIUS response code 3
> Mar 14 12:57:31 app2 sshd[12858]: pam_radius_auth: authentication failed
> Mar 14 12:57:31 app2 sshd[12858]: Failed password for invalid user
> jmaltin at voxel.net from <ip_removed_by_poster> port 44398 ssh2
> 
> 
> What's the magic way to compile this for x86_64?

The compile probably went fine. I do not think there would be any
difference with 32bit machine. The warnings seem to be valid, but I do
not think they are related to the problems you are seeing.

> Notice I added the -m64 to try to force 64 bit.
> 
> [root at app2 pam_radius-1.3.17]# make
> cc -Wall -fPIC -m64 -c pam_radius_auth.c -o pam_radius_auth.o
> pam_radius_auth.c: In function ‘talk_radius’:
> pam_radius_auth.c:886: warning: pointer targets in passing argument 6
> of ‘recvfrom’ differ in signedness

Seems to be int vs size_t

> pam_radius_auth.c: In function ‘pam_sm_authenticate’:
> pam_radius_auth.c:1102: warning: assignment from incompatible pointer type

Pointer vs pointer to pointer.

> cc -Wall -fPIC -m64   -c -o md5.o md5.c
> ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so
> [root at app2 pam_radius-1.3.17]#

Thanks!
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.