|
Hi, I was trying to find a PAM-Radius mailing
list and it seems that this might be the one. A Ubuntu 7.4 box needs
to be configured such that SSH users will be authenticated against an external
FreeRadius server. FreeRadius server version is 1.1.7-1build4. The Ubuntu box
uses OpenSSH 4.3-p2 and /etc/ssh/sshd_config is set to “UsePAM yes”. I
downloaded PAM_Radius 1.3.17. Below is the procedure
that I use Radius to authenticate a user in /etc/passwd (/etc/shadow doesn’t
have the password for that user). 1. FreeRadius server configures its clients.conf
and user file to include a new user called “test1”. 2. On my Ubuntu 7.4 box, add a user with command
“useradd” to add a user “test1” but don’t set a password. So the user “test1”
on the Ubuntu box will be inactive. 3. Configure /etc/pam.d/ssh on the Ubuntu box to
use “auth sufficient pam_radius_auth.so” 4. Also update the /etc/raddb/server on the Ubuntu
box to point to the remote Radius server IP. 5. Try ssh test1@ubuntu box and it worked. Also
monitored the Free Radius logging and it did show that the Access-Request
packets went to Radius server. So step 1-5 worked well
for me. Note that at step 2, the user account to be authenticated is added to
/etc/passwd. The issue is: if step 2
is omitted, SSH login will fail. ACCESS_REQUEST packets with INCORRECT password
were even sent to the Radius server. Further troubleshooting showed that
PAM_Radius module got a bad password from PAM. I did some research
from the website and some emails dated in 2006 said that PAM_Radius can only
authenticate user accounts in /etc/passwd file. Is that right? Many thanks in advance, Feng |
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
