Closed dayDPTR closed 9 months ago
Notice the line: (2) User-Password = "\010\n\r\177INC" from the above log, we can found the Access-Request message carries wrong password
This isn't a FreeRADIUS issue. The PAM libraries are sending the wrong password.
This isn't a pam_radius_auth issue. That string does not appear in the pam_radius_auth source code.
Something in PAM / SSH is modifying the password before pam_radius_auth gets it.
As I said in the message on the freeradius-users mailing list:
Fix your PAM configuration so that it only does RADIUS password checking.
i.e. this is a PAM problem. Nothing you do to FreeRADIUS will fix a PAM problem.
Hi experts,
I am newbie to radius.
Now I am building a FreeRadius server to authenticate different users.
Below is the topology:
Topology description: User1/User2/User3 want to login to Linux server via SSH, User1/User2/User3 should be authenticated by FreeRadius server during SSH logining, User1 has already been created at Linux Server before building the central AAA system, its username is already saved to /etc/passwd and its password is already saved to /etc/shadow at Linux Server, it can login to Linux Server success. User2 and User3 is not created at Linux Server.
Now we start a FreeRadius Server with below config:
config items not listed here are using default ones.
at Linux server, we pulled pam radius source code from here, version is 77da6f5028730ded726d50732da379568a9edded, built it and installed pam_radius_auth.so, below is the config items:
From the above FreeRadius Server and Linux Server's configuration, we can found that User1, User2 and User3 are added at FreeRadius's user list. when I tried to login to Linux Server using user: pi via ssh, login success, wireshark capture and freeradius shows that radius authenticate the user success. below is freeradius log:
when I tried to login to Linux Server using user: bob or mario via ssh, login failure, wireshark capture and freeradius shows that radius authenticate the user failure. below is freeradius log:
Notice the line:
(2) User-Password = "\010\n\r\177INC"
from the above log, we can found the Access-Request message carries wrong password. Wireshark capture also proves it.the only one different point between user pi and user bob/mario is that pi was created at Linux server but bob/mario was not. i did google search and found two different ideas:
one is here, they think a PAM module which is run before pam_radius_auth. That first module is checking the password locally, and when it's wrong, is setting the password to the "INCORRECT" string.
the other is here, they think pam_radius_auth library can’t correctly encrypt the password when there is no user defined in system (/etc/passwd).
If my issue does really result from the 2nd idea, it will be a critical issue for us. because our intention is to simplify user authentication at our network as we have many users and many linux servers, we don't want to create users one by one at every Linux Servers as which is huge workload for us. Consequently, I build a FreeRadius server to do authentication, authorization and accounting for every users. our target is that when one new user join us, the only one thing I need to do is adding him to the user list at FreeRadius Server, then he can login to Linux Servers, FreeRadius server will help authenticate him.
I am not sure: users exist at Linux system(/etc/passwd) is a mandatory prerequisite for central pam-radius-based ssh ?
Any expert could help me ?
Thanks in advance.