[SOLVED] Using pam just for ppp authorisation, without authentification.

pinsky · 07-24-2012, 07:31 AM

Helo there,

I'm having a situation here which I cannot resolve. I set up a pptp connection between two computers. One acts as a server, other as a client.

The connection is made my calling

pon my_vpn

where my_vpn is a file in /etc/ppp/peers consisting of.

Code:

pty "pptp 192.168.12.1 --nolaunchpppd"
name virtual_1
remotename my_vpn
require-mppe-128
file /etc/ppp/options.pptp
ipparam my_vpn

This creates the connection between the server and the client and initiates the ppp interfaces.

Folliwing a tutorial, i have set up chap_secrets file on both the server and the client.

Client chap_secrets:

Code:

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
virtual_2       *       pass    *

Server chap_secrets:

Code:

# Secrets for authentication using CHAP
# client        server  secret                  IP addresses
virtual_1       virtual_3       pass                    *
virtual_2       virtual_3       pass                    *

When pon my_vpn is initiated on the client (virtual_2), the output of

/var/log/syslog | grep ppp

on the server (called virtual_3) is

Code:

Jul 24 07:11:56 virtual3 pppd[3323]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xcd787d11> <pcomp> <accomp>]
Jul 24 07:11:56 virtual3 pppd[3323]: sent [LCP EchoReq id=0x0 magic=0xcd787d11]
Jul 24 07:11:56 virtual3 pppd[3323]: sent [CHAP Challenge id=0xf <33b8dc04d3db8014f82e8d95eef3d3a2>, name = "virtual_3"]
Jul 24 07:11:56 virtual3 pppd[3323]: rcvd [LCP EchoReq id=0x0 magic=0xa40d7c64]
Jul 24 07:11:56 virtual3 pppd[3323]: sent [LCP EchoRep id=0x0 magic=0xcd787d11]
Jul 24 07:11:56 virtual3 pppd[3323]: rcvd [LCP EchoRep id=0x0 magic=0xa40d7c64]
Jul 24 07:11:56 virtual3 pppd[3323]: rcvd [CHAP Response id=0xf <a323c3ddf060ae2845fc14b09034e64a000000000000000049fb952c5de9ec86cf872c0f05cea9f245fd6cf585a64eff00>, name = "virtual_2"]
Jul 24 07:11:56 virtual3 pppd[3323]: sent [CHAP Success id=0xf "S=2F3C33E3676ADE634FBD3F3406BA1091EC04763A M=Access granted"]
Jul 24 07:11:56 virtual3 pppd[3323]: sent [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
Jul 24 07:11:56 virtual3 pppd[3323]: rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
Jul 24 07:11:56 virtual3 pppd[3323]: sent [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
Jul 24 07:11:56 virtual3 pppd[3323]: rcvd [CCP ConfAck id=0x1 <mppe +H -M +S -L -D -C>]
Jul 24 07:11:56 virtual3 pppd[3323]: MPPE 128-bit stateless compression enabled
Jul 24 07:11:56 virtual3 pppd[3323]: sent [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 10.8.10.1>]
Jul 24 07:11:56 virtual3 pppd[3323]: rcvd [IPCP ConfReq id=0x1 <compress VJ 0f 01> <addr 0.0.0.0>]
Jul 24 07:11:56 virtual3 pppd[3323]: sent [IPCP ConfNak id=0x1 <addr 10.8.10.3>]
Jul 24 07:11:56 virtual3 pppd[3323]: rcvd [IPCP ConfAck id=0x1 <compress VJ 0f 01> <addr 10.8.10.1>]
Jul 24 07:11:56 virtual3 pppd[3323]: rcvd [IPCP ConfReq id=0x2 <compress VJ 0f 01> <addr 10.8.10.3>]
Jul 24 07:11:56 virtual3 pppd[3323]: sent [IPCP ConfAck id=0x2 <compress VJ 0f 01> <addr 10.8.10.3>]
Jul 24 07:11:56 virtual3 pppd[3323]: Cannot determine ethernet address for proxy ARP
Jul 24 07:11:56 virtual3 pppd[3323]: local  IP address 10.8.10.1
Jul 24 07:11:56 virtual3 pppd[3323]: remote IP address 10.8.10.3
Jul 24 07:11:56 virtual3 pppd[3323]: pptpd-logwtmp.so ip-up ppp1 virtual_2 192.168.11.100
Jul 24 07:11:56 virtual3 pppd[3323]: Script /etc/ppp/ip-up started (pid 3326)
Jul 24 07:11:57 virtual3 pppd[3323]: Script /etc/ppp/ip-up finished (pid 3326), status = 0x0

What i would like to achieve next is to use PAM on the server side, but just for authorization without authentication. That is, i would like to leave the authorization as it was till now through the chap_secrets file, and just ad the authentication module which will write to database table on each change of connections (when ppp connection is made the user connected is written to database, and when the connection is lost, the column is deleted from database).

Before setting up the database, I'm trying to do simple things o check if pppd is working with PAM. So i edited the /etc/pam.d/ppp file which looks like:

Code:

#%PAM-1.0
# Information for the PPPD process with the 'login' option.

account sufficient pam_exec /bin/echo "Succesful log" > /home/user/log_file
auth    required        pam_nologin.so
@include common-auth
@include common-account
@include common-session

Hoping that on a successful connection a file (/home/user/log_file) will be created.
However, no files were created. After that, i scrambled the /etc/pam.d/ppp hoping to get any king of errors which would at least confirm that the pppd is using PAM. However, everything went as before.

My pppd is compiled to use pam.

Code:

root@virtual3:/etc/ppp# ldd /usr/sbin/pppd
        ...
	libpam.so.0 => /lib/libpam.so.0 (0xb76e8000)
        ...

Any ideas where to start next?
tnx

pinsky · 07-24-2012, 11:36 AM

It seemed that all that needed to be done was run pppd with the login parameter. That can be set in /etc/ppp/options.
even though it said that it is only supposed to be used with PAP.

I suppose it works because we're not trying to authenticate with PAP and CHAP, authentication goes through the chap_secret files after which it is passed to PAM.

When PAM takes control, we can set it to always pass authentication and use the authorization as for what is needed.

Here is how my PAM file (on the server /etc/pam.d/ppp) looks like:

Code:

auth    sufficient      pam_permit.so   
   account sufficient      pam_permit.so

For now, i haven't set anything concrete for the account. What i plan is to run a module which writes the information into database.

Looking at the /var/log/syslog:

Code:

    Jul 24 11:32:02 virtual3 pptpd[6100]: GRE: Bad checksum from pppd.
    Jul 24 11:32:02 virtual3 pppd[6101]: rcvd [LCP ConfAck id=0x1 <asyncmap 0x0> <auth chap MS-v2> <magic 0xbfa95b1b> <pcomp> <accomp>]
    Jul 24 11:32:02 virtual3 pppd[6101]: sent [LCP EchoReq id=0x0 magic=0xbfa95b1b]
    Jul 24 11:32:02 virtual3 pppd[6101]: sent [CHAP Challenge id=0x72 <bd6de330bce960fd3c015f4c05271084>, name = "virtual_3"]
    Jul 24 11:32:02 virtual3 pppd[6101]: rcvd [LCP EchoReq id=0x0 magic=0x26f8d72a]
    Jul 24 11:32:02 virtual3 pppd[6101]: sent [LCP EchoRep id=0x0 magic=0xbfa95b1b]
    Jul 24 11:32:02 virtual3 pppd[6101]: rcvd [LCP EchoRep id=0x0 magic=0x26f8d72a]
    Jul 24 11:32:02 virtual3 pppd[6101]: rcvd [CHAP Response id=0x72 <37493f89d9ab654ebd597c25a4a6b0c000000000000000007452936c00f1efa80034f8a65f1f33a7c5b0cf8b4ca6b3f600>, name = "virtual_2"]
    Jul 24 11:32:02 virtual3 pppd[6101]: sent [CHAP Success id=0x72 "S=8BA14BF6728FFEF9BAC466B0B7ACD5B6273E8B38 M=Access granted"]
    Jul 24 11:32:02 virtual3 pppd[6101]: Initializing PAM (2) for user virtual_2
    Jul 24 11:32:02 virtual3 pppd[6101]: ---> PAM INIT Result = 0
    Jul 24 11:32:02 virtual3 pppd[6101]: Attempting PAM account checks
    Jul 24 11:32:02 virtual3 pppd[6101]: PAM Account OK for virtual_2
    Jul 24 11:32:02 virtual3 pppd[6101]: PAM Session opened for user virtual_2
    Jul 24 11:32:02 virtual3 pppd[6101]: user virtual_2 logged in on tty pts/3 intf ppp0
    Jul 24 11:32:02 virtual3 pppd[6101]: MPPE 128-bit stateless compression enabled
    Jul 24 11:32:02 virtual3 pppd[6101]: Cannot determine ethernet address for proxy ARP
    Jul 24 11:32:02 virtual3 pppd[6101]: local  IP address 10.8.10.1
    Jul 24 11:32:02 virtual3 pppd[6101]: remote IP address 10.8.10.2
    Jul 24 11:32:02 virtual3 pppd[6101]: pptpd-logwtmp.so ip-up ppp0 virtual_2 192.168.11.100

it can bee seen that the authentication went through CHAP and is then passed to PAM.