|
Hi, I was trying to find a PAM-Radius mailing
list and it seems that this might be the one. A Ubuntu 7.4 box needs
to be configured such that SSH users will be authenticated against an external
FreeRadius server. FreeRadius server version is 1.1.7-1build4. The Ubuntu box
uses OpenSSH 4.3-p2 and /etc/ssh/sshd_config is set to “UsePAM yes”. I
downloaded PAM_Radius 1.3.17. Below is the procedure
that I use Radius to authenticate a user in /etc/passwd (/etc/shadow doesn’t
have the password for that user). 1. FreeRadius server configures its clients.conf
and user file to include a new user called “test1”. 2. On my Ubuntu 7.4 box, add a user with command
“useradd” to add a user “test1” but don’t set a password. So the user “test1”
on the Ubuntu box will be inactive. 3. Configure /etc/pam.d/ssh on the Ubuntu box to
use “auth sufficient pam_radius_auth.so” 4. Also update the /etc/raddb/server on the Ubuntu
box to point to the remote Radius server IP. 5. Try ssh test1 ubuntu box and it worked. Also
monitored the Free Radius logging and it did show that the Access-Request
packets went to Radius server. So step 1-5 worked well
for me. Note that at step 2, the user account to be authenticated is added to
/etc/passwd. The issue is: if step 2
is omitted, SSH login will fail. ACCESS_REQUEST packets with INCORRECT password
were even sent to the Radius server. Further troubleshooting showed that
PAM_Radius module got a bad password from PAM. I did some research
from the website and some emails dated in 2006 said that PAM_Radius can only
authenticate user accounts in /etc/passwd file. Is that right? Many thanks in advance, Feng |