On Mon, Sep 17, 2012 at 6:30 PM, Alfonso Alejandro Reyes Jiménez <areyes@xxxxxxxxxxxxxxxx> wrote: > Hi everyone. > > I'm trying to use PAM and my radius server in order to authenticate de users > of our vsftp server, right now I'm able to get the access accept from the > radius but PAM seems not to understand it. > > Here's my pam configuration: > > #%PAM-1.0 > auth sufficient pam_radius_auth.so debug > account sufficient pam_radius_auth.so debug > session optional pam_keyinit.so force revoke > auth required pam_listfile.so item=user sense=deny > file=/etc/vsftpd/ftpusers onerr=succeed > auth required pam_shells.so > auth include password-auth > account include password-auth > session required pam_loginuid.so > session include password-auth > > Here's the PAM debug log: > > Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Sending RADIUS request > code 1 > Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: DEBUG: > getservbyname(radius, udp) returned 10657568. > Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Got RADIUS response code > 2 > Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: authentication succeeded > Sep 14 10:59:45 CRM vsftpd[9670]: pam_radius_auth: Got user name adgalvanh > Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: Sending RADIUS request > code 1 > Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: DEBUG: > getservbyname(radius, udp) returned 7122720. > Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: Got RADIUS response code > 2 > Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: authentication succeeded > > The vsftp has the value: > > pam_service_name=vsftpd > > On the vsftp log I got the OK LOGIN: > Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100", > "220-###############################################################" > Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100", > "220-Todo acceso a este equipo es restringido y monitoreado, toda" > Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100", > "220-actividad es ingresada a una bitacora." > Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100", > "220-###############################################################" > Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100", > "220 " > Mon Sep 17 17:28:05 2012 [pid 12728] FTP command: Client "172.16.101.100", > "AUTH TLS" > Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100", > "234 Proceed with negotiation." > Mon Sep 17 17:28:05 2012 [pid 12728] DEBUG: Client "172.16.101.100", "SSL > version: TLSv1/SSLv3, SSL cipher: AES128-SHA, not reused, no cert" > Mon Sep 17 17:28:05 2012 [pid 12728] FTP command: Client "172.16.101.100", > "USER aareyes" > Mon Sep 17 17:28:05 2012 [pid 12728] [aareyes] FTP response: Client > "172.16.101.100", "331 Please specify the password." > Mon Sep 17 17:28:05 2012 [pid 12728] [aareyes] FTP command: Client > "172.16.101.100", "PASS <password>" > Mon Sep 17 17:28:05 2012 [pid 12727] [aareyes] OK LOGIN: Client > "172.16.101.100" > > But I can't connect from my FTP client: > > CYBERDUCK > > I/O Error: Connection failed > Unsupported record version Unknown-48.48. > > FILEZILLA > > Status: Waiting to retry... > Status: Connecting to 172.16.18.113:21... > Status: Connection established, waiting for welcome message... > Response: > 220-############################################################### > Response: 220-Todo acceso a este equipo es restringido y monitoreado, > toda > Response: 220-actividad es ingresada a una bitacora. > Response: > 220-############################################################### > Response: 220 > Command: AUTH TLS > Response: 234 Proceed with negotiation. > Status: Initializing TLS... > Status: Verifying certificate... > Command: USER aareyes > Status: TLS/SSL connection established. > Response: 331 Please specify the password. > Command: PASS ************** > Error: GnuTLS error -8: A record packet with illegal version was Seems like an SSL/TLS error in your certs SFTP server rather than a PAM error. -- Nick Owen WiKID Systems, Inc. http://www.wikidsystems.com Commercial/Open Source Two-Factor Authentication _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
