Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

sshd & radius
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
pinion
n00b
n00b


Joined: 11 Feb 2006
Posts: 47
PostPosted: Thu Oct 25, 2007 6:43 pm    Post subject: sshd & radius Reply with quote
I would like to authenticate my gentoo servers to a Radius server (for ssh & console logins). Does anyone know how to do this? There used to be a radius PAM module, but it looks like that was removed. Is there a feature I'm missing? I searched for any howto's and didn't come up with anything aside from the pam_radius module. Thanks in advance for the help :wink:

After looking at the USE flags for pam, I noticed that pwdb installs the pam_radius.so module. Now I just need to figure out what to do with it. I created a NAS entry for the gentoo server on my radius server (Cisco ACS). I just need to know where to configure my radius secret on the gentoo server and if any other packages need to be emerged (suc as a radius client). Any help or links is much appreciated. The only links I am finding pertain to pam_radius_auth.so (not pam_radius.so).
Back to top
View user's profile Send private message
pinion
n00b
n00b


Joined: 11 Feb 2006
Posts: 47
PostPosted: Sun Oct 28, 2007 9:26 pm    Post subject: Reply with quote
To get the pam_radius module installed I added the "pwdb" USE flag to my /etc/portage/packages.use file and emerged pam. I did some reading on pam (http://devmanual.gentoo.org/tasks-reference/pam/index.html) and modified my /etc/pam.d/sshd file:
Code:

auth       optional     pam_radius.so   conf=/etc/radius.conf
password   optional     pam_radius.so   conf=/etc/radius.conf
session    optional     pam_radius.so   conf=/etc/radius.conf
auth       required     pam_shells.so
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth


As well as created a /etc/radius.conf file:
Code:

auth            10.97.26.10             linacsP@$$              3
acct            10.97.26.10             linacsP@$$              3


But I am getting the following error now:
/var/log/syslog:
Code:

Oct 28 07:21:21 phaz-mon-02 sshd[16431]: PAM unable to resolve symbol: pam_sm_authenticate
Oct 28 07:21:21 phaz-mon-02 sshd[16431]: PAM unable to resolve symbol: pam_sm_setcred
Oct 28 07:21:21 phaz-mon-02 sshd[16431]: PAM unable to resolve symbol: pam_sm_chauthtok
Oct 28 07:21:21 phaz-mon-02 sshd[16431]: Failed publickey for test from 10.97.19.255 port 34852 ssh2
Oct 28 07:21:25 phaz-mon-02 sshd(pam_unix)[16436]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.97.19.255  user=test
Oct 28 07:21:28 phaz-mon-02 sshd[16431]: error: PAM: Authentication failure for test from 10.97.19.255
Oct 28 07:21:28 phaz-mon-02 sshd[16431]: Failed keyboard-interactive/pam for test from 10.97.19.255 port 34852 ssh2


I have tried modifying /etc/pam.d/sshd turning off auth/password/session for the pam_radius module to get different error messages, but they all produce the same errors in my error log. I have also tried re-emerging pam and running revdep-rebuild.

Does anyone have any insight to what I am doing wrong?
Back to top
View user's profile Send private message
pinion
n00b
n00b


Joined: 11 Feb 2006
Posts: 47
PostPosted: Mon Oct 29, 2007 7:14 pm    Post subject: Reply with quote
I gave up trying to get the included pam_radius.so module to work with pam-0.78. So, I emergeed the pam-0.99 which no longer has the pwdb USE flag or the pam_radius.so module. Details on the changes to the PAM ebuild: http://www.gentoo.org/proj/en/base/pam/upgrade-0.99.xml. So to get this working I downloaded and manually installed the pam_radius.auth.so module from http://www.freeradius.org/pam_radius_auth/ (make the module and copy it into the /lib/security/ folder). I have authentication working against my radius server, however I am unable to change passwords. I modified the /etc/pam.d/passwd file:
Code:

auth       sufficient   pam_radius_auth.so     conf=/etc/pam_radius.conf
account    sufficient   pam_radius_auth.so     conf=/etc/pam_radius.conf
password   sufficient   pam_radius_auth.so     conf=/etc/pam_radius.conf
session    sufficient   pam_radius_auth.so     conf=/etc/pam_radius.conf
auth       include      system-auth
account    include      system-auth
password   include      system-auth


And it authenticates to radius when I change my password, but fails:
Code:

$ passwd
Password:
New password:
New password (again):
passwd: Authentication service cannot retrieve authentication info
$


Also, I would like portage to manage my library instead of me manually installing the freeradius library. Does anyone know if this is included with another package or if there is a use flag to install it? An overlay perhaps? I don't like manually installing anything or creating ebuilds that aren't apart of the portage tree. Also, does anyone have any insight to getting passwd to work with radius? I made sure it is passing on the radius side of things. Any help is much appreciated.
Back to top
View user's profile Send private message
serial_penguin
Tux's lil' helper
Tux's lil' helper


Joined: 23 Aug 2005
Posts: 96
Location: US / Minnesota
PostPosted: Wed Oct 31, 2007 7:42 pm    Post subject: Reply with quote
I'm interested in getting pam_radius working as well, particularly with pam-0.99.8.1-r1. I wasn't aware that pam_radius was available with pam-0.78-r5 so I used the following ebuild (pam_radius-1.3.17.ebuild)
Code:

# Copyright 1999-2007 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $

DESCRIPTION="PAM to RADIUS authentication module"
HOMEPAGE="http://www.freeradius.org"
SRC_URI="ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz"

SLOT="0"
LICENSE="GPL-2"
KEYWORDS="~amd64"

DEPEND="sys-libs/pam"

S=${WORKDIR}/pam_radius-1.3.17

src_compile() {
        emake || die
}

src_install () {
    install -d ${D}/lib/security
        install -g root -o root -m 700 -d ${D}/etc/raddb
    install -g root -o root -m 755 pam_radius_auth.so ${D}/lib/security
        install -g root -o root -m 600 pam_radius_auth.conf ${D}/etc/raddb/server

        dodoc Changelog INSTALL LICENSE README TODO USAGE
        dohtml index.html
}

and put it in my portage overlay. Of course, I have to maintain it. pam_radius seems to work just fine with pam-0.78-r5 on my amd64 machine. The installed pam_radius is preventing the upgrade of pam, which was probably good since it would have probably hosed my system if the upgrade had completed. I hadn't read all I should have before the attempted upgrade. My question is how to get pam_radius working after I remove it and then upgrade? Will the existing pam_radius recompile and work with the new pam? One must tread gently here.
Back to top
View user's profile Send private message
pinion
n00b
n00b


Joined: 11 Feb 2006
Posts: 47
PostPosted: Tue Nov 06, 2007 8:05 pm    Post subject: Reply with quote
Thanks for the code for the ebuild. I will stick that in my overlay and reinstall it when I get a chance.

To get sshd to work with PAM once PAM is installed, you need to:

1. Create a config file to store the radius information (such as /etc/radius_pam.conf):
Code:

#Radius-server          shared-secret           number-of-retries
127.0.0.1               supersecuresecret       0


I do not believe DNS entries will work here, and of course use a more secure passphrase (http://grc.com/passwords)

2. Modify your sshd PAM config file (/etc/pam.d/sshd):
Code:

auth       sufficient   pam_radius_auth.so     conf=/etc/radius_pam.conf
account    sufficient   pam_radius_auth.so     conf=/etc/radius_pam.conf
password   sufficient   pam_radius_auth.so     conf=/etc/radius_pam.conf
session    sufficient   pam_radius_auth.so     conf=/etc/radius_pam.conf
auth       required     pam_shells.so
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

Change the conf option to point to your config file.

3. Create an entry on your radius server (Cisco ACS in my case)
For the cisco ACS 3.3.3:
Code:

Click on "Network Configuration"
If you have defined groups click on the appropriate group
Click on "Add Entry"
Fill out the form being sure to enter the IP address for the gentoo box, the passphrase used earlier, and RADIUS-IETF
Click on "Submit And Restart"


4. Create a user on the gentoo box that will be using PAM:
Code:

sudo groupadd radiususer
sudo useradd -g radiususer -G adm -m radiususer


You should be able to ssh into the server using your radius credentials. If you have any problems, be sure to check the error logs for PAM (/var/log/syslog for PAM-0.99) and on the radius server.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy