ssh authentication failed problem use freeradius & pam_radius

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

ssh authentication failed problem use freeradius & pam_radius

小牧
Hi everyone,

I am trying to use pam_radius to authenticate SSH login.My system is Centos 5.6 64bit.
When I try to authenticate with ssh but failed,I am sure the shared secret is correct.

Freeradius got the following logs:

rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "? INCORRECT"
[pap] Using clear text password "1111"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password.        Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject

And by the way,is it possible to create a ssh user on NAS after the first time successful authentication.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: ssh authentication failed problem use freeradius & pam_radius

Alan DeKok-2
小牧 wrote:
> I am trying to use pam_radius to authenticate SSH login.My system is
> Centos 5.6 64bit.
> When I try to authenticate with ssh but failed,I am sure the shared
> secret is correct.

  The shared secret is correct.

> [pap] login attempt with password "? INCORRECT"

  This is an issue with PAM on the client machine.  Some other module is
doing password checking.  When the password check fails, it re-sets the
password to "INCORRECT".  That password is then sent to the pam_radius
module.

  Go fix the client so that the PAM modules don't change the password.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: ssh authentication failed problem use freeradius & pam_radius

小牧
In reply to this post by 小牧
Hello,Alan.

Thank you for you response.
 Alan wrote:
> This is an issue with PAM on the client machine.  Some other module is
doing password checking.  When the password check fails, it re-sets the
password to "INCORRECT".  That password is then sent to the pam_radius
module. 
Go fix the client so that the PAM modules don't change the password.


My /etc/pam.d/sshd file contains the following settings:
-bash-3.2# cat sshd
#%PAM-1.0
auth       sufficient   pam_radius_auth.so debug
auth       include      system-auth
account    sufficient   pam_radius_auth.so
account    required     pam_nologin.so
account    include      system-auth
password   sufficient   pam_radius_auth.so
password   include      system-auth
session    sufficient   pam_radius_auth.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: ssh authentication failed problem use freeradius & pam_radius

Martin Pauly
 小牧 <[hidden email]>wrote:
>> This is an issue with PAM on the client machine.  Some other module is
> doing password checking.  When the password check fails, it re-sets the
> password to "INCORRECT".  That password is then sent to the pam_radius
> module.  
> Go fix the client so that the PAM modules don't change the password.
>
>
> My /etc/pam.d/sshd file contains the following settings:

I had a similar problem today. PAM considered the user illegal because
the uid in question was unknown on the machine to be accessed by ssh.
Adding the user locally was required anyway, I had forgotten that on
that particular machine, there are only local accounts.

HTH (and thanx to Alan)
Martin

--
  Dr. Martin Pauly     Phone:  +49-6421-28-23527
  HRZ Univ. Marburg    Fax:    +49-6421-28-26994
  Hans-Meerwein-Str.   E-Mail: [hidden email]
  D-35032 Marburg                                                          
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sam
| Threaded
Open this post in threaded view
|

Re: ssh authentication failed problem use freeradius & pam_radius

sam
In reply to this post by 小牧
Is there anyone to contribute this fix?
sam
| Threaded
Open this post in threaded view
|

Re: ssh authentication failed problem use freeradius & pam_radius

sam
The pam_radius_auth module is installed on linux, and if the user-A is not created in local and  only existed in remote radius server.
In following function() in pam_radius_auth.c, the *password always is INCORRECT
+++++++++++++code+++++++++++++
  static int rad_converse(pam_handle_t *pamh, int msg_style, char *message, char **password)
  {
    CONST struct pam_conv *conv;
    struct pam_message resp_msg;
    CONST struct pam_message *msg[1];
    struct pam_response *resp = NULL;
    int retval;

    resp_msg.msg_style = msg_style;
    resp_msg.msg = message;
    msg[0] = &resp_msg;

    /* grab the password */
    retval = pam_get_item(pamh, PAM_CONV, (CONST void **) &conv);
    PAM_FAIL_CHECK;

    retval = conv->conv(1, msg, &resp,conv->appdata_ptr); < it seems the resp is saved some useful info.
    PAM_FAIL_CHECK;

    if (password) {               /* assume msg.type needs a response */
      /* I'm not sure if this next bit is necessary on Linux */
    _pam_log(LOG_ERR, "enter in");
  #ifdef sun
      /* NULL response, fail authentication */
      if ((resp == NULL) || (resp->resp == NULL)) {
        return PAM_SYSTEM_ERR;
      }
  #endif

      *password = resp->resp;  <<<< saved the retrun value to *password. (value is INCORRECT)
      free(resp);
    }

    return PAM_SUCCESS;
  }
+++++++++++++code+++++++++++++

Not familiar with this module, can anybody give some instrutions?
| Threaded
Open this post in threaded view
|

Re: ssh authentication failed problem use freeradius & pam_radius

Fajar A. Nugraha-2
On Thu, May 24, 2012 at 9:44 PM, sam <[hidden email]> wrote:
> The pam_radius_auth module is installed on linux, and if the user-A is not
> created in local and  only existed in remote radius server.
> In following function() in pam_radius_auth.c, the *password always is
> INCORRECT

That is the expected behavior. For pam to work, the user needs to
exist in whatever user db it recognize (in this case, local user).

> Not familiar with this module, can anybody give some instrutions?

Had you read the previous messages, you'd know that if you want to
modify something, it'd be in pam, and NOT in pam_radius plugin.
Possibly by using nss_mysql and getting it to use the same data that
FR is using (with the help of views, or whatever).

But since you decide to ignore it anyway and insist on focusing your
efforts on pam_radius_auth.c, you're pretty much on your own.

--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html