Hi all,
Has anyone managed to find the solution on how to use PAM with FreeRadius to authenticate SSH where from "radiusd -X", you get some like below: -
rad_recv: Access-Request packet from host 127.0.0.1 port 6239, id=149, length=88
User-Name = "sqltest"
User-Password = "\010\n\r\177INCORRECT"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "sshd"
NAS-Port = 5214
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "10.0.0.10"
.
.
.
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "? INCORRECT"
[pap] Using clear text password "testpwd"
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type Reject
+- entering group REJECT {...}
If you refer to the 2nd
bold-ed sentence, you'll see that radius server is able to receive the password ("testpwd") but somehow could not make use of it to authenticate. Anyone has any idea how to "prioritize" the password sequence of whether it's possible?
I saw there's quite a lot of old threads either to have a central DB from radius server or from passwd file. From the looks of it, there's no issue using passwd file but problem arises when all user account is stored in radius server (this only applies to users file and not to a database). I also found old threads from the developer (Alan Dekok) that it is not the issue with PAM_Radius_Auth but PAM and SSH itself (refer to
http://www.nabble.com/file-detail-td2481517.html). Some went unanswered.
http://www.linuxquestions.org/questi...cation-495115/
Alan DeKok suggested to take a look on PAM mailing list to find how to rectify or to understand how PAM works.
BTW, my system config are: -
1. RHEL5
2. MySQL v5.0.86
3. FreeRadius 2.1.7
Please accept my apology for my naiveness and "noobness" if I stated anything mis-appropriate or stupid.