Hi,
the official mailing list for discussing PAM configuration
problems, especially as they are affects modules not part of
Linux-PAM like here, is pam-list(a)readhat.com. Please send your
questions there.
Thorsten
On Fri, May 27, DEEPAK SHARMA wrote:
---------- Forwarded message ----------
From: Deepak Sharma <Deepak.Sharma(a)aricent.com>
Date: Fri, 27 May 2011 13:28:50 +0530
Subject: Linux PAM Authentication failed: Non-Local users
To: "deepaksharma06(a)gmail.com" <deepaksharma06(a)gmail.com>
Hello Everyone,
We are trying to perform Radius based authentication of any guest user
using Linux PAM module 1.0
As radius client, pam_radius-1.3.17 plugin is used and freeradius
server is used as Radius Server.
I have performed the Radius client and server configurations according
to the guidelines.
I added the radius entry in /etc/pam.d/sshd:
#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so debug
client_id=linux
While i am trying of perform authentication of users, following are
the outcomes depending upon user (trying to login) is locally
configured or not.
Users are trying to log-in via ssh. Both Users A and B are configured
in Radius Server
1. If user A (locally configured in Linux M/C) tries to login, then
Linux PAM gets the user/password information and send it to radius
server. Radius Server authenticates the user/password in its database
and sends successful acknowledgement to linux m/c. User is allowed to
login.
2. If user B (not configured in Linux M/C) login, then
Authentication is being rejected by Radius Server. Radius Server logs
are showing that password in either malformed/incorrect
*********************************************************************************************************************************************************************************************************************
Radius Server Logs:
rad_recv: Access-Request packet from host 127.0.0.1:27138, id=117, length=91
User-Name = "abcd"
User-Password = "\010\n\INCORRECT"
NAS-IP-Address = 172.21.142.4
NAS-Identifier = "linux"
NAS-Port = 26113
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "172.21.142.140"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "abcd", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns ok for request 0
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Login incorrect: [abcd/\010\n\INCORRECT] (from client localhost port
26113 cli 172.21.142.140)
WARNING: Unprintable characters in the password. ? Double-check the
shared secret on the server and the NAS!
*********************************************************************************************************************************************************************************************************************
SSHD Logs:
May 27 13:14:07 localho sshd[26113]: debug1: PAM: initializing for "abcd"
May 27 13:14:07 localho sshd[26113]: debug1: PAM: setting PAM_RHOST to
"172.21.142.140"
May 27 13:14:07 localho sshd[26113]: debug1: PAM: setting PAM_TTY to "ssh"
May 27 13:14:09 localho sshd[26113]: pam_radius_auth: Got user name abcd
May 27 13:14:09 localho sshd[26113]: pam_radius_auth: Sending RADIUS
request code 1
May 27 13:14:09 localho sshd[26113]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned -1768845152.
May 27 13:14:10 localho sshd[26113]: pam_radius_auth: RADIUS server
127.0.0.1 failed to respond
May 27 13:14:10 localho sshd[26113]: pam_radius_auth: All RADIUS
servers failed to respond.
May 27 13:14:10 localho sshd[26113]: pam_radius_auth: authentication failed
May 27 13:14:10 localho sshd(pam_unix)[26113]: check pass; user unknown
May 27 13:14:10 localho sshd(pam_unix)[26113]: authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=172.21.142.140
May 27 13:14:13 localho sshd[26113]: debug1: PAM: password
authentication failed for an illegal user: Authentication failure
May 27 13:14:13 localho sshd[26113]: Failed password for invalid user
abcd from ::ffff:172.21.142.140 port 36124 ssh2
*********************************************************************************************************************************************************************************************************************
After reading through couple of forums, i got the hint this is the way
PAM works.
Linux PAM has restriction to have user-id configured locally on Linux
M/C for successful Radius Authentication
But if we have the case of thousands of guest users, then it is not
possible to add every user in machine itself.
I am willing to know:
1. Is this is the way how PAM works. Is this limitation is present in PAM
2. I am using Linux PAM 1.0. Is there any patch/fix available in
higher version of PAM?
3. Is there any way to overcome this issue by using some other
libpam-radius-auth plugin. Though i do not think it is Radius client
plugin issue.
It will be really helpful if someone can help/suggest me in this regards.
Regards,
Deepak Sharma
Technical Leader
Aricent
Plot 5, Elec. Cirty,Sector 18, GURGAON
Mobile +91 99111 62935
Office +91 124 4095888 Ext 2939
________________________________
"DISCLAIMER: This message is proprietary to the Aricent Group and is
intended solely for the use of the individual to whom it is addressed.
It may contain privileged or confidential information and should not
be circulated or used for any purpose other than for what it is
intended. If you have received this message in error, please notify
the originator immediately. If you are not the intended recipient, you
are notified that you are strictly prohibited from using, copying,
altering, or disclosing the contents of this message. The Aricent
Group accepts no responsibility for loss or damage arising from the
use of the information transmitted by this email including damage from
virus."
--
Sent from my mobile device
Thanks
Deepak Sharma
_______________________________________________
Pam-developers mailing list
Pam-developers(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/pam-developers
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)