FreeRADIUS / pam_radius

This is the PAM to RADIUS authentication module. It allows any Linux, OSX or Solaris machine to become a RADIUS client for authentication and password change requests.
GNU General Public License v2.0
103 stars 90 forks source link

User will not login to shell on RHEL9 #95

Closed rserio closed 4 months ago

rserio commented 4 months ago

So I wanted to start to use our existing RADIUS server to allow logins to our RHEL9 systems. Since the RADIUS itself is already MFA.
I used the following articles to create my instance. https://access.redhat.com/solutions/7004459 https://access.redhat.com/solutions/2746251

When I did the radtest my user was accepted and I saw the group from the RADIUS server so then I moved to setup my SSH login to allow this.
Since this was tested well my /etc/pam.conf files are connected properly (so I don't have to expose the server secret and so forth)

I edited the /etc/pam.d/sshd (as instructed) cat /etc/pam.d/sshd

%PAM-1.0

auth substack password-auth auth sufficient pam_radius_auth.so auth include postlogin account required pam_sepermit.so account required pam_nologin.so account include password-auth password include password-auth

pam_selinux.so close should be the first session rule

session required pam_selinux.so close session required pam_loginuid.so

pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params session required pam_namespace.so session optional pam_keyinit.so force revoke session optional pam_motd.so session include password-auth session include postlogin

I added my user with no password as directed. I tried to ssh and I get "Permission denied, please try again." my ssh -vvv shows the following " debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 51 "

I started a wireshark and I see the packet go out and return accepted. Screenshot_20240702_133428

And I see my RADIUS server accepts the login. but still no shell.

alandekok commented 4 months ago

If you get Access-Accept, then the pam_radius code is working correctly.

There are still various other PAM things which may need to succeed before you get a shell. You'll have to see the RedHat documentation for more details.

For example, the system still needs to find the users UID, GID, home directory, login shell, etc. None of that is provided over RADIUS.

So there's not much that the pam_radius code can do here. It's working correctly. The problem is elsewhere.

rserio commented 4 months ago

by creating the user via useradd there is all of the UID,GID, home but to further test your theory I have cloned a box that I have which is fully functional (has all users created with all the groups and such) and I disabled selinux, disabled fips mode (all just for testing) and I still don't get a shell, the logon is fully accepted so there must be something else.

3 9.068388979 10.1.1.53 → 10.1.1.50 RADIUS 135 Access-Request id=78 4 9.106603570 10.1.1.50 → 10.1.1.53 RADIUS 100 Access-Accept id=78

but still no prompt and I get the permission denied message again Permission denied, please try again.

alandekok commented 4 months ago

Again, if the pam_radius module receives an Access-Accept, then it is working properly. The pam_radius module then tells the PAM framework that the user can log in.

If the user still cannot log in, then the problem isn't in the pam_radius module. It's somewhere else in the PAM configuration.

I don't run RedHat, and I know nothing about the large PAM issue. You will have to ask RedHat for help. There's nothing wrong with the pam_radius module.