..:: VSFTP - PAM - RADIUS ::..

Nick Owen nowen at wikidsystems.com
Tue Sep 18 13:04:28 UTC 2012


On Mon, Sep 17, 2012 at 6:30 PM, Alfonso Alejandro Reyes Jiménez
<areyes at ibossmonitor.com> wrote:
> Hi everyone.
>
> I'm trying to use PAM and my radius server in order to authenticate de users
> of our vsftp server, right now I'm able to get the access accept from the
> radius but PAM seems not to understand it.
>
> Here's my pam configuration:
>
> #%PAM-1.0
> auth sufficient pam_radius_auth.so debug
> account sufficient pam_radius_auth.so debug
> session    optional     pam_keyinit.so    force revoke
> auth       required     pam_listfile.so item=user sense=deny
> file=/etc/vsftpd/ftpusers onerr=succeed
> auth       required     pam_shells.so
> auth       include      password-auth
> account    include      password-auth
> session    required     pam_loginuid.so
> session    include      password-auth
>
> Here's the PAM debug log:
>
> Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Sending RADIUS request
> code 1
> Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: DEBUG:
> getservbyname(radius, udp) returned 10657568.
> Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Got RADIUS response code
> 2
> Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: authentication succeeded
> Sep 14 10:59:45 CRM vsftpd[9670]: pam_radius_auth: Got user name adgalvanh
> Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: Sending RADIUS request
> code 1
> Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: DEBUG:
> getservbyname(radius, udp) returned 7122720.
> Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: Got RADIUS response code
> 2
> Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: authentication succeeded
>
> The vsftp has the value:
>
>  pam_service_name=vsftpd
>
> On the vsftp log I got the OK LOGIN:
> Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
> "220-###############################################################"
> Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
> "220-Todo acceso a este equipo es restringido y monitoreado, toda"
> Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
> "220-actividad es ingresada a una bitacora."
> Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
> "220-###############################################################"
> Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
> "220 "
> Mon Sep 17 17:28:05 2012 [pid 12728] FTP command: Client "172.16.101.100",
> "AUTH TLS"
> Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
> "234 Proceed with negotiation."
> Mon Sep 17 17:28:05 2012 [pid 12728] DEBUG: Client "172.16.101.100", "SSL
> version: TLSv1/SSLv3, SSL cipher: AES128-SHA, not reused, no cert"
> Mon Sep 17 17:28:05 2012 [pid 12728] FTP command: Client "172.16.101.100",
> "USER aareyes"
> Mon Sep 17 17:28:05 2012 [pid 12728] [aareyes] FTP response: Client
> "172.16.101.100", "331 Please specify the password."
> Mon Sep 17 17:28:05 2012 [pid 12728] [aareyes] FTP command: Client
> "172.16.101.100", "PASS <password>"
> Mon Sep 17 17:28:05 2012 [pid 12727] [aareyes] OK LOGIN: Client
> "172.16.101.100"
>
> But I can't connect from my FTP client:
>
> CYBERDUCK
>
> I/O Error: Connection failed
> Unsupported record version Unknown-48.48.
>
> FILEZILLA
>
> Status:    Waiting to retry...
> Status:    Connecting to 172.16.18.113:21...
> Status:    Connection established, waiting for welcome message...
> Response:
> 220-###############################################################
> Response:    220-Todo acceso a este equipo es restringido y monitoreado,
> toda
> Response:    220-actividad es ingresada a una bitacora.
> Response:
> 220-###############################################################
> Response:    220
> Command:    AUTH TLS
> Response:    234 Proceed with negotiation.
> Status:    Initializing TLS...
> Status:    Verifying certificate...
> Command:    USER aareyes
> Status:    TLS/SSL connection established.
> Response:    331 Please specify the password.
> Command:    PASS **************
> Error:    GnuTLS error -8: A record packet with illegal version was

Seems like an SSL/TLS error in your certs SFTP server rather than a PAM error.

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication




More information about the Pam-list mailing list