getservbyname fails

[jangel97]

Hi,

My aim is to configure a Radius client via radius pam module, but I am getting some NSS error.

My environment:

• RHEL 8.5
• pam_radius-1.4.0-15.el8.x86_64

My /etc/pam_radius.conf:

radius01 secret 100

My /etc/pam.d/sshd:

#%PAM-1.0

auth            required        pam_env.so
auth            sufficient      pam_radius_auth.so debug client_id=linux
auth            requisite       pam_succeed_if.so uid >= 500 quiet
auth            required        pam_deny.so

account         sufficient      pam_succeed_if.so uid < 500 quiet
account         required        pam_permit.so

password        requisite       pam_cracklib.so try_first_pass retry=3
password        required        pam_deny.so

session         required        pam_selinux.so close
session         required        pam_limits.so
session         [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
#session                required        pam_quota.so bsoftlimit=9216 bhardlimit=10240 path=/
session         required        pam_mkhomedir.so umask=0077
session         required        pam_selinux.so open

My /etc/ssh/sshd_config:

Protocol 2
Port 22

ListenAddress 0.0.0.0

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Logging
SyslogFacility AUTHPRIV
LogLevel INFO

# Authentication
StrictModes yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
UsePAM yes
PubkeyAuthentication no
        # Kerberos options
KerberosAuthentication no
KerberosOrLocalPasswd no
KerberosTicketCleanup no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no

Banner /etc/login-banner

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Standard Options
X11Forwarding yes
MACs hmac-sha2-512,hmac-sha2-256
KexAlgorithms diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
Match Address 0.0.0.0/0
    # Everyone else
    Banner /etc/login-banner
    GSSAPIAuthentication no
    PubkeyAuthentication no

Whenever I try to SSH I can fee following error in /var/log/secure:

Mar 28 12:05:54 bastiontest sshd[2572]: pam_radius_auth: ignore last_pass, force_prompt set
Mar 28 12:05:57 bastiontest sshd[2572]: pam_radius_auth: Sending RADIUS request code 1
Mar 28 12:05:57 bastiontest sshd[2572]: **pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7fcb7effc240.**
Mar 28 12:06:00 bastiontest sshd[2572]: pam_radius_auth: RADIUS server radius01 failed to respond
Mar 28 12:06:00 bastiontest sshd[2572]: pam_radius_auth: All RADIUS servers failed to respond.
Mar 28 12:06:00 bastiontest sshd[2572]: pam_radius_auth: authentication failed
Mar 28 12:06:00 bastiontest sshd[2570]: error: PAM: Authentication failure for user from 10.x.x.x
Mar 28 12:06:00 bastiontest sshd[2573]: pam_radius_auth: Got user name user
Mar 28 12:06:00 bastiontest sshd[2573]: pam_radius_auth: ignore last_pass, force_prompt set

What does this mean? The command getent services radius is working as expected.

[alandekok]

Mar 28 12:06:00 bastiontest sshd[2572]: pam_radius_auth: RADIUS server radius01.authmgr.prod.int.rdu2.redhat.com failed to respond

The RADIUS server isn't responding. Most likely because the shared secret is wrong.

Check the debug logs on the RADIUS server.

[jangel97]

Nothing arrives to the server, we are using tcpdump to see if traffic network gets there. I think pam_radius is breaking before sending anything.

Most likely there must be some misconfig in my nsswitch.conf.

passwd:     sss files systemd
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files
sudoers:    files sss
shadow:     files sss
hosts:      files dns myhostname
aliases:    files
ethers:     files
gshadow:    files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files