LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Telnet using PAM-RADIUS (http://www.linuxquestions.org/questions/linux-security-4/telnet-using-pam-radius-909191/)

rosect 10-20-2011 02:28 PM

Telnet using PAM-RADIUS
 
I have a fc-14 linux and I can telnet into the system with /etc/passwd. After installation of pam-radius, I expect to see radius requests leaving for an external radius server. But I do not see any packeting (wireshark is turned on). Here is my setup:

1. fc-14.i686

2. installed pam-radius by "yum install pam-radius". pam_radius_auth.so is in /lib/security.

3. in /etc/pam.d/login, I have:
auth sufficient lib/security/pam_radius_auth.so
account required pam_permit.so
session required pam_permit.so

4. in /etc/raddb, file server is created with these contents:
192.168.1.2 mySecret 2

5. On the radius server, necessary configuration is set.

Can someone let me know what other configuration I need so that the system will use pam to authentication telnet user? Thanks in advance.

Linux_Kidd 10-20-2011 04:07 PM

do you have a /etc/pam.d/telnet file? if so i suggest you try pam_radius_auth.so there

which radius package is it you have installed on fc14? try testing radius auth via the radius auth test tool to make sure radius works as expected. once radius is verified then jump into the integration.

but you do know you posted this in the "security" section so you are probably gonna get a lot of "why are you even using telnet, use ssh".

rosect 10-20-2011 05:08 PM

Thank you for your reply, Kidd. Here are my replies:

Kidd's suggestion 1: do you have a /etc/pam.d/telnet file?
My input: I created a /etc/pam.d/telnet. Same result -- no radius requests going out of the system.

Kidd's suggestion 2: which radius package is it you have installed on fc14?
My input: rpm -qa shows: pam_radius-1.3.17-2.fc14.i686.

Kidd's suggestion 3: try testing radius auth via the radius auth test tool
My input: I believe there is no radius setup on the system into which I want to telnet, right?

Kidd's suggestion 4: why are you even using telnet, use ssh.
My input: This is to support a legacy system. Compatibility considerations. SSH will also be implemented.

The problem is that I do not see pam-radius be invoked. Instead, passwd is used. (Yes, I can still telnet in). I also tried /etc/sshd. I still do not see radius requests going out. Please advise. Thank you.

Linux_Kidd 10-20-2011 09:55 PM

can you post the output of "ls /etc/pam.d/"

install freeradius-utils-2.1.9-3.fc14.i686.rpm and use the radtest utility to test radius functionality between your "telnet" box and the radius server 192.168.1.2

you can google "man radtest" to see how it works, etc. let us know when you validate radius is working as desired.

rosect 10-20-2011 10:15 PM

Thank you, Kidd. Here is the radtest result:

[root@1950]# radtest pam mc921 192.168.1.2:1812 8855 wlan
Sending Access-Request of id 116 to 192.168.1.2 port 1812
User-Name = "pam"
User-Password = "mc921"
NAS-IP-Address = 127.0.0.1
NAS-Port = 8855
rad_recv: Access-Accept packet from host 192.168.1.2 port 1812, id=116, length=20

/etc/pam.d: you can see
atd gnome-screensaver reboot sudo-i
authconfig halt remote su-l
authconfig-gtk ksu run_init system-auth
authconfig-tui login runuser system-auth-ac
chfn login.org runuser-l system-config-authentication
chsh newrole selinux-polgengui system-config-date
config-util other setup system-config-keyboard
crond passwd smartcard-auth system-config-network
cvs password-auth smartcard-auth-ac system-config-network-cmd
fingerprint-auth password-auth-ac smtp system-config-selinux
fingerprint-auth-ac polkit-1 smtp.sendmail system-config-users
gdm poweroff sshd telnet
gdm-autologin ppp wireshark gdm-fingerprint radiusd su xserver gdm-password
sudo

Linux_Kidd 10-20-2011 10:28 PM

ok, did you see this radius test in wireshark??

next, try putting your pam statement in /etc/pam.d/sshd, then try ssh login and you should see radius traffic in wireshark, btw, do you have a capture filter in wireshark, if so please post it.

most daemon services put a file in pam.d, did you verify that your telnetd is pam-a-fied ?

rosect 10-21-2011 12:05 PM

Yes, I tried sshd. Same. No radius requests going out. I do have wireshark with RADIUS filter set. But there are none radius packets captured.

Wireshark did catch requets when radtest is tried.

Did you mean "your telnetd is pam-a-tied" ? Could you let me know how to verify? Thank you.

Further testing. I replaced "sufficient" with the following:
[success=done ignore=ignore default=die].

In this case, I can not ssh in at all !. If I change "default=die" to "default=ignore", ssh is successful. So, it seems to me that the .so library returned some "weird" value!

Linux_Kidd 10-21-2011 12:19 PM

run ldd on your telnetd (or whatever binary is running your telnet service, etc).

example for sshd on my rhel 5.7:
[root@host ~]# ldd /usr/sbin/sshd |grep pam
libpam.so.0 => /lib/libpam.so.0 (0x00420000)

this shows that sshd is linked to the PAM library, hence its "pam-a-fied".

which telnet package is installed?

please post the wireshark capture filter you are using, and did you select the correct interface to capture on? your capture filter should be "port 1812" or "host 192.168.1.2". what host does wireshark run on?

is there anything in var/log/messages that might suggest whats going on?

rosect 10-21-2011 06:16 PM

Hi, Kidd, I turned on debug and did see error returned by the .so. Basically messages say the .so could not read server IP from config file. Well, I just retyped the IP and that solved the problem! Not sure why the previous IP was "so bad".

I sincerely thank you very much for your advice as to debugging the issue. You have a good weekend.

Linux_Kidd 10-21-2011 07:18 PM

hmmmm, that was easy.

Lorens 11-18-2011 06:45 AM

Just a simple question, did you know how to configure pam to let non-local users log in by RADIUS?

rosect 11-18-2011 03:04 PM

Lorens, if I understand your question correctly, I believe you are asking how to configure telnet/ssh using PAM-RADIUS.

One variable we have to deal with is the Linux itself. For different flavors, configuration files to be used could be different. I realized this when I was doing Internet search for solutions. Because I do not know about your Linux (REDHAT or SUSE or something-else.), I have to use my setup as an example. Mine is Fedora 14, which is RHEL6.

For Telnet:
1. Assume you have installed and started telnet service. (telnet is not by-default installed and enabled.)
2. In /etc/pam.d/remote, add the following, if they are not there:
auth sufficient \
/lib/security/pam_radius_auth.so \
conf=/etc/sysconfig/pam_radius
account required /lib/security/pam_permit.so
session required /lib/security/pam_permit.so

3. In /etc/sysconfig/pam_radius, add these:
192.168.1.2 radius-shared-secret 2


For SSH:
1. In /etc/pam.d/sshd, add the same lines.

Note: the pam_radius in /etc/sysconfig is what I added.

And last, good luck!


All times are GMT -5. The time now is 06:51 PM.