5

I am trying to configure ssh with my custom radius server for authentication.

So what i want is, First it should authenticate with current ssh login (unix login) and then prompt user for second password for radius.

I am setting up /etc/pam.d/sshd as follows

auth        required    pam_unix.so debug

**auth       sufficient   /lib/security/pam_radius_auth.so  debug conf=/home/pam_radius try_first_pass**

But then my first authentication does not happen at all. It immediately goes for radius.

As per pam_radius ..try_first_pass

....If there was no previous password, or the previous password fails authentication, prompt the user with "Enter RADIUS password: ", and ask for another password. Try this password, and return success/failure as appropriate.

Jigar Shah
  • 159
  • 1
  • 5

2 Answers2

1

I can't reply to the comments of the other answer, but have you tried setting both auth lines to required instead of having radius be set as sufficient?

violet
  • 486
  • 3
  • 6
  • That's a good place to start. They are both required, after all; just radius is *not* to be considered sufficient. – apenwarr Feb 16 '10 at 19:10
0

i think your ssh login fails and then directly goes to the radius authentication. what happens when you enter a radius passwort? when my guess is correct your auth should fail, no matter whether you enter a correct or false password for your radius auth.

to debug this problem a bit more, please post your debug output.

you should disable your radius auth to be sure your ssh auth is working.

Christian
  • 4,703
  • 2
  • 24
  • 27
  • Hi, Thanks for reply. What i want is other-way. if pam_unix login is successful then go for radius. (That is 2 factor authentication) (I also tried changing "auth required" to "requisite") In my case, it does not do first authentication with pam_unix at all. It immediately goes to radius. 1. If i remove radius from stack. It does do unix authentication . 2. If i remove pam_unix, same behaviour as mentioned. It goes to radius auth 3. If I keep pam_unix AFTER radius, If radius auth fails, it does unix auth. (What i want is other way round. First do unixAuth, if success, do radius auth.) – Jigar Shah Jan 25 '10 at 06:00
  • "what happens when you enter a radius password" - It passes. "you should disable your radius auth to be sure your ssh auth is working." - yes it works. In curx, problem is, when pam_unix is first, It does not go through pam_unix (or it does but no debug. I have enabled debug. Posting them) – Jigar Shah Jan 25 '10 at 06:41
  • /var/log/secure Jan 25 12:26:28 jigarnb sshd[10686]: pam_radius_auth: Got user name jigar Jan 25 12:26:28 jigarnb sshd[10686]: pam_radius_auth: Got password <****> Jan 25 12:26:28 jigarnb sshd[10686]: pam_radius_auth: Sending RADIUS request code 1 Jan 25 12:26:28 jigarnb sshd[10686]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 8089344. Jan 25 12:26:28 jigarnb sshd[10686]: pam_radius_auth: Got RADIUS response code 3 Jan 25 12:26:28 jigarnb sshd[10686]: pam_radius_auth: authentication failed – Jigar Shah Jan 25 '10 at 06:58
  • Jan 25 12:26:28 jigarnb sshd[10686]: Accepted password for jigar from 192.168.0.39 port 5604 ssh2 Jan 25 12:26:28 jigarnb sshd[10686]: pam_unix(sshd:session): session opened for user jigar by (uid=0) – Jigar Shah Jan 25 '10 at 06:59
  • As of logs, It says "It tried with radius, but failed so used unix" But why ? My unix stack is at the top ? Why it tried with radius first ? – Jigar Shah Jan 25 '10 at 07:40
  • some more ideas: perhaps it is working in the right order, but the messages are printed in wrong order to the log. change pam_unix parameter from `debug` to `audit`. make your radius auth work alone than enable unix and radius and look at the order of the log messages. – Christian Jan 25 '10 at 07:57
  • So i did exactly as you said #auth required pam_unix.so audit auth sufficient /lib/security/pam_radius_auth.so debug conf=/home/jigar/nvsotp_server/pam_radius try_first_pass It works – Jigar Shah Jan 25 '10 at 10:36
  • Jan 25 16:05:24 jigarnb sshd[23011]: pam_radius_auth: Got user name jigar Jan 25 16:05:24 jigarnb sshd[23011]: pam_radius_auth: Sending RADIUS request code 1 Jan 25 16:05:24 jigarnb sshd[23011]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 8261376. Jan 25 16:05:24 jigarnb sshd[23011]: pam_radius_auth: Got RADIUS response code 2 – Jigar Shah Jan 25 '10 at 10:36
  • Jan 25 16:05:24 jigarnb sshd[23011]: pam_radius_auth: authentication succeeded Jan 25 16:05:24 jigarnb sshd[23011]: Accepted password for jigar from 192.168.0.39 port 38934 ssh2 Jan 25 16:05:24 jigarnb sshd[23011]: pam_unix(sshd:session): session opened for user jigar by (uid=0) – Jigar Shah Jan 25 '10 at 10:37
  • Now changed to enable pam_unix auth required pam_unix.so audit auth sufficient /lib/security/pam_radius_auth.so debug conf=/home/jigar/nvsotp_server/pam_radius try_first_pass – Jigar Shah Jan 25 '10 at 10:37
  • It tried to authenticate with radius and failed. and accepted unix credential. – Jigar Shah Jan 25 '10 at 10:41
  • Jan 25 16:10:00 jigarnb sshd[23339]: pam_radius_auth: Got user name jigar Jan 25 16:10:00 jigarnb sshd[23339]: pam_radius_auth: Got password ****** Jan 25 16:10:00 jigarnb sshd[23339]: pam_radius_auth: Sending RADIUS request code 1 Jan 25 16:10:00 jigarnb sshd[23339]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -1217982720. Jan 25 16:10:00 jigarnb sshd[23339]: pam_radius_auth: Got RADIUS response code 3 – Jigar Shah Jan 25 '10 at 10:42
  • Jan 25 16:10:00 jigarnb sshd[23339]: pam_radius_auth: authentication failed Jan 25 16:10:00 jigarnb sshd[23339]: Accepted password for jigar from 192.168.0.39 port 40712 ssh2 Jan 25 16:10:00 jigarnb sshd[23339]: pam_unix(sshd:session): session opened for user jigar by (uid=0) – Jigar Shah Jan 25 '10 at 10:42
  • Its strange. Why it went to radius for first time ? It should have gone to unix instead. And making it audit didn't help. – Jigar Shah Jan 25 '10 at 10:43