How to do FreeRADIUS understand the ssh encrypted password that is passed?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to do FreeRADIUS understand the ssh encrypted password that is passed?

Kalil de A. Carvalho
Hello all.

It is me again. Sorry for that.

I have my enviroment working fine for telnet access, my FreeRADIUS server
is doing the user search on LDAP with no problem but, when I use any ssh
session is passed a encryped password that RADIUS try to use with LDAP
database, found the user but the password is considered wrong and regect my
access.

I searched for configuration and what I saw it is very similar whith I have
here. The unic diference is that I am using a EdgeRouter Lite but I am
folling the documentation and using the GUI tool.

Can any one help me?

Best regards.



--
Atenciosamente,
Kalil de A. Carvalho
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to do FreeRADIUS understand the ssh encrypted password that is passed?

Alan DeKok-2
On Jul 27, 2017, at 1:22 PM, Kalil de A. Carvalho <[hidden email]> wrote:
> I have my enviroment working fine for telnet access, my FreeRADIUS server
> is doing the user search on LDAP with no problem but, when I use any ssh
> session is passed a encryped password that RADIUS

  What does that mean?

  It's almost always best to post the actual debug output.  That is much clearer than vague descriptions.

> try to use with LDAP
> database, found the user but the password is considered wrong and regect my
> access.

  My *guess* is that the SSH session is set up to use PAM.  And that PAM is mangling to the password to "invalid" or some such string.

  Again, reading the debug output would show you this.

> I searched for configuration and what I saw it is very similar whith I have
> here. The unic diference is that I am using a EdgeRouter Lite but I am
> folling the documentation and using the GUI tool.
>
> Can any one help me?

  Post the debug output as suggested in the "man" page, FAQ, web pages, and daily on this list.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to do FreeRADIUS understand the ssh encrypted password that is passed?

Kalil de A. Carvalho
Hello Alan.

Thanks for your replay.

Here the parts of debug output that it is important, I think:


"My *guess* is that the SSH session is set up to use PAM.  And that PAM is
mangling to the password to "invalid" or some such string." <- you ware
right!

Received Access-Request Id 51 from IP_SOURCE:10722 to SERVER_RADIUS:1812
length 89
User-Name = 'bo01'
User-Password = '\010\n\r\177INCORRECT'
NAS-IP-Address = 127.0.1.1
NAS-Identifier = 'sshd'
NAS-Port = 9697
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = 'CLIENT_TEST'


Here is just show that the ldap search is working fine:

User found. Comparison between membership: name (resolved from DN), check:
name

Here is the resolt of password confrontation:

(2)  ERROR: ldap : Bind credentials incorrect: Invalid credentials
(2)  ERROR: ldap : Server said: 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1.

Best regards,

On Thu, Jul 27, 2017 at 2:55 PM, Alan DeKok <[hidden email]>
wrote:

> On Jul 27, 2017, at 1:22 PM, Kalil de A. Carvalho <[hidden email]>
> wrote:
> > I have my enviroment working fine for telnet access, my FreeRADIUS server
> > is doing the user search on LDAP with no problem but, when I use any ssh
> > session is passed a encryped password that RADIUS
>
>   What does that mean?
>
>   It's almost always best to post the actual debug output.  That is much
> clearer than vague descriptions.
>
> > try to use with LDAP
> > database, found the user but the password is considered wrong and regect
> my
> > access.
>
>   My *guess* is that the SSH session is set up to use PAM.  And that PAM
> is mangling to the password to "invalid" or some such string.
>
>   Again, reading the debug output would show you this.
>
> > I searched for configuration and what I saw it is very similar whith I
> have
> > here. The unic diference is that I am using a EdgeRouter Lite but I am
> > folling the documentation and using the GUI tool.
> >
> > Can any one help me?
>
>   Post the debug output as suggested in the "man" page, FAQ, web pages,
> and daily on this list.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html




--
Atenciosamente,
Kalil de A. Carvalho
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to do FreeRADIUS understand the ssh encrypted password that is passed?

Alan DeKok-2
On Jul 27, 2017, at 3:27 PM, Kalil de A. Carvalho <[hidden email]> wrote:
> Here the parts of debug output that it is important, I think:

  Yes.

> "My *guess* is that the SSH session is set up to use PAM.  And that PAM is
> mangling to the password to "invalid" or some such string." <- you ware
> right!
>
> Received Access-Request Id 51 from IP_SOURCE:10722 to SERVER_RADIUS:1812
> length 89
> User-Name = 'bo01'
> User-Password = '\010\n\r\177INCORRECT'

  As I said.

  The problem is in PAM.  No amount of poking FreeRADIUS will make it work.

  One of the other PAM modules is failing to find the user locally, and is mangling the password to "INCORRECT".

  PAM *requires* that users have local accounts.  i.e. UID, GID, shell, etc.  PAM *cannot* authenticate users who don't have local accounts.

  PAM is only for doing remote password checks.  Not for remotely creating users.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Loading...