Hi, I have recently upgraded from OpenSSH-3.5 to OpenSSH-3.8 on my Red Hat 6.2 servers. I use radius (pam_radius_auth) for ssh authentication. Since the upgrade ssh1 (putty 0.52) logins are failing. I've come to the conclusion that pam is skipping the radius section of the config file and is falling back to standard unix authentication. Is there any way of making ssh1 work with radius on recent versions of OpenSSH? Here is my pam config file: #%PAM-1.0 auth sufficient /lib/security/pam_radius_auth.so debug auth required /lib/security/pam_pwdb.so shadow nodelay auth required /lib/security/pam_nologin.so account sufficient /lib/security/pam_radius_auth.so account required /lib/security/pam_pwdb.so password sufficient /lib/security/pam_radius_auth.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so session required /lib/security/pam_limits.so Thanks, Paul Abel This E-mail message, including any attachments, is intended only for the person or entity to which it is addressed, and may contain confidential information. If you are not the intended recipient, any review, retransmission, disclosure, copying, modification or other use of this E-mail message or attachments is strictly forbidden. If you have received this E-mail message in error, please contact the author and delete the message and any attachments from your computer. You are also advised that the views and opinions expressed in this E-mail message and any attachments are the author's own, and may not reflect the views and opinions of Digital Interactive Television Group.
Is upgrading PuTTY an option? I have had problems with PuTTY 0.52 and recent versions of OpenSSH. I believe it is because PuTTY 0.52 does not support KbdInteractive. PuTTY 0.53b or newer should work. Paul Abel wrote:> Hi, > > I have recently upgraded from OpenSSH-3.5 to OpenSSH-3.8 on my Red Hat 6.2 servers. I use radius (pam_radius_auth) for ssh authentication. Since the upgrade ssh1 (putty 0.52) logins are failing. I've come to the conclusion that pam is skipping the radius section of the config file and is falling back to standard unix authentication. > > Is there any way of making ssh1 work with radius on recent versions of OpenSSH? > > Here is my pam config file: > > #%PAM-1.0 > auth sufficient /lib/security/pam_radius_auth.so debug > auth required /lib/security/pam_pwdb.so shadow nodelay > auth required /lib/security/pam_nologin.so > account sufficient /lib/security/pam_radius_auth.so > account required /lib/security/pam_pwdb.so > password sufficient /lib/security/pam_radius_auth.so > password required /lib/security/pam_pwdb.so shadow nullok use_authtok > session required /lib/security/pam_pwdb.so > session required /lib/security/pam_limits.so > > Thanks, > Paul Abel > > > This E-mail message, including any attachments, is intended only for the person or entity to which it is addressed, and may contain confidential information. If you are not the intended recipient, any review, retransmission, disclosure, copying, modification or other use of this E-mail message or attachments is strictly forbidden. If you have received this E-mail message in error, please contact the author and delete the message and any attachments from your computer. You are also advised that the views and opinions expressed in this E-mail message and any attachments are the author's own, and may not reflect the views and opinions of Digital Interactive Television Group. > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev-- Michael Haverkamp
Hi Paul, On Tue, Mar 23, 2004 at 04:18:59PM -0000, Paul Abel wrote:> Since the upgrade ssh1 (putty 0.52) logins are failing. I've come to > the conclusion that pam is skipping the radius section of the config > file and is falling back to standard unix authentication.have you compiled openssh using --with-pam? Is there any sign of pam being used in /var/log/*?> This E-mail message, including any attachments, is intended onlyblah.. blah... blah... Chris -- Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -- Rich Cook
Paul Abel wrote:> Hi, > > I have recently upgraded from OpenSSH-3.5 to OpenSSH-3.8 on my Red Hat 6.2 servers. I use radius (pam_radius_auth) for ssh authentication. Since the upgrade ssh1 (putty 0.52) logins are failing. I've come to the conclusion that pam is skipping the radius section of the config file and is falling back to standard unix authentication. > > Is there any way of making ssh1 work with radius on recent versions of OpenSSH?Have you turned on "TIS" authentication in PuTTY? IIRC it is off by default. -d