Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a fc-14 linux and I can telnet into the system with /etc/passwd. After installation of pam-radius, I expect to see radius requests leaving for an external radius server. But I do not see any packeting (wireshark is turned on). Here is my setup:
1. fc-14.i686
2. installed pam-radius by "yum install pam-radius". pam_radius_auth.so is in /lib/security.
3. in /etc/pam.d/login, I have:
auth sufficient lib/security/pam_radius_auth.so
account required pam_permit.so
session required pam_permit.so
4. in /etc/raddb, file server is created with these contents:
192.168.1.2 mySecret 2
5. On the radius server, necessary configuration is set.
Can someone let me know what other configuration I need so that the system will use pam to authentication telnet user? Thanks in advance.
Last edited by rosect; 10-20-2011 at 01:29 PM.
Reason: edited question
do you have a /etc/pam.d/telnet file? if so i suggest you try pam_radius_auth.so there
which radius package is it you have installed on fc14? try testing radius auth via the radius auth test tool to make sure radius works as expected. once radius is verified then jump into the integration.
but you do know you posted this in the "security" section so you are probably gonna get a lot of "why are you even using telnet, use ssh".
Last edited by Linux_Kidd; 10-20-2011 at 03:20 PM.
Thank you for your reply, Kidd. Here are my replies:
Kidd's suggestion 1: do you have a /etc/pam.d/telnet file?
My input: I created a /etc/pam.d/telnet. Same result -- no radius requests going out of the system.
Kidd's suggestion 2: which radius package is it you have installed on fc14?
My input: rpm -qa shows: pam_radius-1.3.17-2.fc14.i686.
Kidd's suggestion 3: try testing radius auth via the radius auth test tool
My input: I believe there is no radius setup on the system into which I want to telnet, right?
Kidd's suggestion 4: why are you even using telnet, use ssh.
My input: This is to support a legacy system. Compatibility considerations. SSH will also be implemented.
The problem is that I do not see pam-radius be invoked. Instead, passwd is used. (Yes, I can still telnet in). I also tried /etc/sshd. I still do not see radius requests going out. Please advise. Thank you.
install freeradius-utils-2.1.9-3.fc14.i686.rpm and use the radtest utility to test radius functionality between your "telnet" box and the radius server 192.168.1.2
you can google "man radtest" to see how it works, etc. let us know when you validate radius is working as desired.
next, try putting your pam statement in /etc/pam.d/sshd, then try ssh login and you should see radius traffic in wireshark, btw, do you have a capture filter in wireshark, if so please post it.
most daemon services put a file in pam.d, did you verify that your telnetd is pam-a-fied ?
Last edited by Linux_Kidd; 10-20-2011 at 09:30 PM.
Yes, I tried sshd. Same. No radius requests going out. I do have wireshark with RADIUS filter set. But there are none radius packets captured.
Wireshark did catch requets when radtest is tried.
Did you mean "your telnetd is pam-a-tied" ? Could you let me know how to verify? Thank you.
Further testing. I replaced "sufficient" with the following:
[success=done ignore=ignore default=die].
In this case, I can not ssh in at all !. If I change "default=die" to "default=ignore", ssh is successful. So, it seems to me that the .so library returned some "weird" value!
run ldd on your telnetd (or whatever binary is running your telnet service, etc).
example for sshd on my rhel 5.7:
[root@host ~]# ldd /usr/sbin/sshd |grep pam
libpam.so.0 => /lib/libpam.so.0 (0x00420000)
this shows that sshd is linked to the PAM library, hence its "pam-a-fied".
which telnet package is installed?
please post the wireshark capture filter you are using, and did you select the correct interface to capture on? your capture filter should be "port 1812" or "host 192.168.1.2". what host does wireshark run on?
is there anything in var/log/messages that might suggest whats going on?
Last edited by Linux_Kidd; 10-21-2011 at 11:34 AM.
Hi, Kidd, I turned on debug and did see error returned by the .so. Basically messages say the .so could not read server IP from config file. Well, I just retyped the IP and that solved the problem! Not sure why the previous IP was "so bad".
I sincerely thank you very much for your advice as to debugging the issue. You have a good weekend.
Lorens, if I understand your question correctly, I believe you are asking how to configure telnet/ssh using PAM-RADIUS.
One variable we have to deal with is the Linux itself. For different flavors, configuration files to be used could be different. I realized this when I was doing Internet search for solutions. Because I do not know about your Linux (REDHAT or SUSE or something-else.), I have to use my setup as an example. Mine is Fedora 14, which is RHEL6.
For Telnet:
1. Assume you have installed and started telnet service. (telnet is not by-default installed and enabled.)
2. In /etc/pam.d/remote, add the following, if they are not there:
auth sufficient \
/lib/security/pam_radius_auth.so \
conf=/etc/sysconfig/pam_radius
account required /lib/security/pam_permit.so
session required /lib/security/pam_permit.so
3. In /etc/sysconfig/pam_radius, add these:
192.168.1.2 radius-shared-secret 2
For SSH:
1. In /etc/pam.d/sshd, add the same lines.
Note: the pam_radius in /etc/sysconfig is what I added.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.