..:: VSFTP - PAM - RADIUS ::..

Alfonso Alejandro Reyes Jiménez areyes at ibossmonitor.com
Tue Sep 18 13:38:11 UTC 2012 

On 9/18/12 8:04 AM, Nick Owen wrote:
> On Mon, Sep 17, 2012 at 6:30 PM, Alfonso Alejandro Reyes Jiménez
> <areyes at ibossmonitor.com>  wrote:
>> Hi everyone.
>>
>> I'm trying to use PAM and my radius server in order to authenticate de users
>> of our vsftp server, right now I'm able to get the access accept from the
>> radius but PAM seems not to understand it.
>>
>> Here's my pam configuration:
>>
>> #%PAM-1.0
>> auth sufficient pam_radius_auth.so debug
>> account sufficient pam_radius_auth.so debug
>> session    optional     pam_keyinit.so    force revoke
>> auth       required     pam_listfile.so item=user sense=deny
>> file=/etc/vsftpd/ftpusers onerr=succeed
>> auth       required     pam_shells.so
>> auth       include      password-auth
>> account    include      password-auth
>> session    required     pam_loginuid.so
>> session    include      password-auth
>>
>> Here's the PAM debug log:
>>
>> Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Sending RADIUS request
>> code 1
>> Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: DEBUG:
>> getservbyname(radius, udp) returned 10657568.
>> Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Got RADIUS response code
>> 2
>> Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: authentication succeeded
>> Sep 14 10:59:45 CRM vsftpd[9670]: pam_radius_auth: Got user name adgalvanh
>> Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: Sending RADIUS request
>> code 1
>> Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: DEBUG:
>> getservbyname(radius, udp) returned 7122720.
>> Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: Got RADIUS response code
>> 2
>> Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: authentication succeeded
>>
>> The vsftp has the value:
>>
>>   pam_service_name=vsftpd
>>
>> On the vsftp log I got the OK LOGIN:
>> Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
>> "220-###############################################################"
>> Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
>> "220-Todo acceso a este equipo es restringido y monitoreado, toda"
>> Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
>> "220-actividad es ingresada a una bitacora."
>> Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
>> "220-###############################################################"
>> Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
>> "220"
>> Mon Sep 17 17:28:05 2012 [pid 12728] FTP command: Client "172.16.101.100",
>> "AUTH TLS"
>> Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
>> "234 Proceed with negotiation."
>> Mon Sep 17 17:28:05 2012 [pid 12728] DEBUG: Client "172.16.101.100", "SSL
>> version: TLSv1/SSLv3, SSL cipher: AES128-SHA, not reused, no cert"
>> Mon Sep 17 17:28:05 2012 [pid 12728] FTP command: Client "172.16.101.100",
>> "USER aareyes"
>> Mon Sep 17 17:28:05 2012 [pid 12728] [aareyes] FTP response: Client
>> "172.16.101.100", "331 Please specify the password."
>> Mon Sep 17 17:28:05 2012 [pid 12728] [aareyes] FTP command: Client
>> "172.16.101.100", "PASS<password>"
>> Mon Sep 17 17:28:05 2012 [pid 12727] [aareyes] OK LOGIN: Client
>> "172.16.101.100"
>>
>> But I can't connect from my FTP client:
>>
>> CYBERDUCK
>>
>> I/O Error: Connection failed
>> Unsupported record version Unknown-48.48.
>>
>> FILEZILLA
>>
>> Status:    Waiting to retry...
>> Status:    Connecting to 172.16.18.113:21...
>> Status:    Connection established, waiting for welcome message...
>> Response:
>> 220-###############################################################
>> Response:    220-Todo acceso a este equipo es restringido y monitoreado,
>> toda
>> Response:    220-actividad es ingresada a una bitacora.
>> Response:
>> 220-###############################################################
>> Response:    220
>> Command:    AUTH TLS
>> Response:    234 Proceed with negotiation.
>> Status:    Initializing TLS...
>> Status:    Verifying certificate...
>> Command:    USER aareyes
>> Status:    TLS/SSL connection established.
>> Response:    331 Please specify the password.
>> Command:    PASS **************
>> Error:    GnuTLS error -8: A record packet with illegal version was
> Seems like an SSL/TLS error in your certs SFTP server rather than a PAM error.
>
> --
> Nick Owen
> WiKID Systems, Inc.
> http://www.wikidsystems.com
> Commercial/Open Source Two-Factor Authentication
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list


Thanks for your reply, the issue is now solved. I had to use the 
ssl_ciphers=HIGH command.

Have a great day.

Regards.

Alfonso.

More information about the Pam-list mailing list