Hi !
I'm trying to authenticate users on a Linux Red hat AS 2.1 against a radius
server.
I have upgraded my OpenSSHd to :
OpenSSH_4.2p1, OpenSSL 0.9.6b [engine] 9 Jul 2001
The users accounts are NOT stored locally on the sever (no accounts in
/etc/passwd ). Users ssh to the box : ssh test at testserver.com passwd:
test
I'm usign PAM to direct the authentication request to the radius server.
That part works fine.
But the request coming to the radius looks like :
User-Name = "test"
User-Password = "\010\n\INCORRECT"
I found this in : auth-pam.c
badpw[] = "\b\n\r\177INCORRECT";
- What is supposed to be the behaviour of ssh when it is used with PAM ? Shall
SSh pass on to PAM the exact credentials entered at the prompt (username and
passwd) without affecting them (by putting "INCORRECT" in the passwd :
buffer_put_cstring(&buffer, badpw); auth-pam.c in sshpam_respond() )?
(BTW, this is how I have installed ssh on my linux box :
./configure --with-pam --prefix=/usr --sysconfdir=/etc/ssh
make
make install)
- I found that other OpenSSH user had a similar problem. Is there a workaround ?
Thank you for your help. I'm really struggling with this... !
Philippe
________________________________________________________________________
This e-mail has been scanned for all known viruses by EMEA.
________________________________________________________________________
On Mon, Jan 30, 2006 at 09:37:55AM -0000, Le Gal Philippe wrote:> Hi ! > > I'm trying to authenticate users on a Linux Red hat AS 2.1 against a > radius server. > > I have upgraded my OpenSSHd to : > OpenSSH_4.2p1, OpenSSL 0.9.6b [engine] 9 Jul 2001> The users accounts are NOT stored locally on the sever (no accounts in > /etc/passwd ). Users ssh to the box : ssh test at testserver.com passwd: > test I'm usign PAM to direct the authentication request to the radius > server. That part works fine.> But the request coming to the radius looks like : > > User-Name = "test" > User-Password = "\010\n\INCORRECT"sshd does that when the user doesn't exist or is otherwise prohibitted from logging on the the system in question (ie when they are flagged as "invalid" or "illegal" users). If it didn't do this then an attacker may be able to distinguish between valid and invalid accounts and/or the correct password for an account not permitted to log in at all via ssh (there's a CVE or two for these type of problems).> - I found that other OpenSSH user had a similar problem. Is there a > workaround ?Configure your name service (eg nsswitch.conf) to return passwd entries for your RADIUS users (eg with nss_radius). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Thank you for your prompt answer Darren, Unfortunately, it seems that nss_radius project looks like a dead-end as I can't find any module already written for it. I'm failty new to all this and I don't want to spend my time writing a nss_radius module. Do you know if such a module exists somewhere ? Thank you Philippe -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: 30 January 2006 09:56 To: Le Gal Philippe Cc: openssh-unix-dev at mindrot.org Subject: Re: badpw[] = "\b\n\r\177INCORRECT" On Mon, Jan 30, 2006 at 09:37:55AM -0000, Le Gal Philippe wrote:> Hi ! > > I'm trying to authenticate users on a Linux Red hat AS 2.1 against a > radius server. > > I have upgraded my OpenSSHd to : > OpenSSH_4.2p1, OpenSSL 0.9.6b [engine] 9 Jul 2001> The users accounts are NOT stored locally on the sever (no accounts in > /etc/passwd ). Users ssh to the box : ssh test at testserver.com passwd: > test I'm usign PAM to direct the authentication request to the radius > server. That part works fine.> But the request coming to the radius looks like : > > User-Name = "test" > User-Password = "\010\n\INCORRECT"sshd does that when the user doesn't exist or is otherwise prohibitted from logging on the the system in question (ie when they are flagged as "invalid" or "illegal" users). If it didn't do this then an attacker may be able to distinguish between valid and invalid accounts and/or the correct password for an account not permitted to log in at all via ssh (there's a CVE or two for these type of problems).> - I found that other OpenSSH user had a similar problem. Is there a > workaround ?Configure your name service (eg nsswitch.conf) to return passwd entries for your RADIUS users (eg with nss_radius). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. ________________________________________________________________________ This e-mail has been scanned for all known viruses by EMEA. ________________________________________________________________________