Re: ..:: VSFTP - PAM - RADIUS ::..

[Alfonso Alejandro Reyes Jiménez <areyes@xxxxxxxxxxxxxxxx>]

On 9/18/12 8:04 AM, Nick Owen wrote:
> On Mon, Sep 17, 2012 at 6:30 PM, Alfonso Alejandro Reyes Jiménez
> <areyes@xxxxxxxxxxxxxxxx>  wrote:
> > Hi everyone.
> >
> > I'm trying to use PAM and my radius server in order to authenticate de users
> > of our vsftp server, right now I'm able to get the access accept from the
> > radius but PAM seems not to understand it.
> >
> > Here's my pam configuration:
> >
> > #%PAM-1.0
> > auth sufficient pam_radius_auth.so debug
> > account sufficient pam_radius_auth.so debug
> > session    optional     pam_keyinit.so    force revoke
> > auth       required     pam_listfile.so item=user sense=deny
> > file=/etc/vsftpd/ftpusers onerr=succeed
> > auth       required     pam_shells.so
> > auth       include      password-auth
> > account    include      password-auth
> > session    required     pam_loginuid.so
> > session    include      password-auth
> >
> > Here's the PAM debug log:
> >
> > Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Sending RADIUS request
> > code 1
> > Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: DEBUG:
> > getservbyname(radius, udp) returned 10657568.
> > Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Got RADIUS response code
> > 2
> > Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: authentication succeeded
> > Sep 14 10:59:45 CRM vsftpd[9670]: pam_radius_auth: Got user name adgalvanh
> > Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: Sending RADIUS request
> > code 1
> > Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: DEBUG:
> > getservbyname(radius, udp) returned 7122720.
> > Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: Got RADIUS response code
> > 2
> > Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: authentication succeeded
> >
> > The vsftp has the value:
> >
> >   pam_service_name=vsftpd
> >
> > On the vsftp log I got the OK LOGIN:
> > Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
> > "220-###############################################################"
> > Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
> > "220-Todo acceso a este equipo es restringido y monitoreado, toda"
> > Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
> > "220-actividad es ingresada a una bitacora."
> > Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
> > "220-###############################################################"
> > Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
> > "220"
> > Mon Sep 17 17:28:05 2012 [pid 12728] FTP command: Client "172.16.101.100",
> > "AUTH TLS"
> > Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
> > "234 Proceed with negotiation."
> > Mon Sep 17 17:28:05 2012 [pid 12728] DEBUG: Client "172.16.101.100", "SSL
> > version: TLSv1/SSLv3, SSL cipher: AES128-SHA, not reused, no cert"
> > Mon Sep 17 17:28:05 2012 [pid 12728] FTP command: Client "172.16.101.100",
> > "USER aareyes"
> > Mon Sep 17 17:28:05 2012 [pid 12728] [aareyes] FTP response: Client
> > "172.16.101.100", "331 Please specify the password."
> > Mon Sep 17 17:28:05 2012 [pid 12728] [aareyes] FTP command: Client
> > "172.16.101.100", "PASS<password>"
> > Mon Sep 17 17:28:05 2012 [pid 12727] [aareyes] OK LOGIN: Client
> > "172.16.101.100"
> >
> > But I can't connect from my FTP client:
> >
> > CYBERDUCK
> >
> > I/O Error: Connection failed
> > Unsupported record version Unknown-48.48.
> >
> > FILEZILLA
> >
> > Status:    Waiting to retry...
> > Status:    Connecting to 172.16.18.113:21...
> > Status:    Connection established, waiting for welcome message...
> > Response:
> > 220-###############################################################
> > Response:    220-Todo acceso a este equipo es restringido y monitoreado,
> > toda
> > Response:    220-actividad es ingresada a una bitacora.
> > Response:
> > 220-###############################################################
> > Response:    220
> > Command:    AUTH TLS
> > Response:    234 Proceed with negotiation.
> > Status:    Initializing TLS...
> > Status:    Verifying certificate...
> > Command:    USER aareyes
> > Status:    TLS/SSL connection established.
> > Response:    331 Please specify the password.
> > Command:    PASS **************
> > Error:    GnuTLS error -8: A record packet with illegal version was
> Seems like an SSL/TLS error in your certs SFTP server rather than a PAM error.
>
> --
> Nick Owen
> WiKID Systems, Inc.
> http://www.wikidsystems.com
> Commercial/Open Source Two-Factor Authentication
>
> _______________________________________________
> Pam-list mailing list
> Pam-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/pam-list


Thanks for your reply, the issue is now solved. I had to use the 
ssl_ciphers=HIGH command.

Have a great day.

Regards.

Alfonso.

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list