Hello, I think to have find a small pb with openssh when a Radius server is unreachable. I use radius authentication with pam my system-auth is the following auth [success=done auth_err=die default=ignore] /lib/security/pam_radius_auth.so try_first_pass debug auth [success=ignore auth_err=ignore default=ignore] pam_nologin.so file=/etc/raddb/radiusfailure auth required /lib/security/pam_unix.so likeauth nullok md5 shadow auth required /lib/security/pam_tally.so deny=2 per_user no_magic_root even_deny_root_account account required /lib/security/pam_unix.so account required /lib/security/pam_tally.so reset no_magic_root password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_unix.so when radius server is unreachable, we display contents of file radiusfailure "RADIUS servers are unreachable, need local password.". with telnet this contents is display on client between each authentication try but not when i use ssh client. With ssh, i have the following sequence debug1: Doing password authentication. pascal at clin5207's password: Permission denied, please try again. pascal at clin5207's password: Permission denied, please try again. pascal at clin5207's password: Permission denied. I have no indication that radius server is not reachable. Is it possible to fix the problem ? -- ------------------------- Pascal h. Bureau C2080, colombes where is the hammer -------------------------
Hello, I think to have find a small pb with openssh when a Radius server is unreachable. I use radius authentication with pam my system-auth is the following auth [success=done auth_err=die default=ignore] /lib/security/pam_radius_auth.so try_first_pass debug auth [success=ignore auth_err=ignore default=ignore] pam_nologin.so file=/etc/raddb/radiusfailure auth required /lib/security/pam_unix.so likeauth nullok md5 shadow auth required /lib/security/pam_tally.so deny=2 per_user no_magic_root even_deny_root_account account required /lib/security/pam_unix.so account required /lib/security/pam_tally.so reset no_magic_root password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_unix.so when radius server is unreachable, we display contents of file radiusfailure "RADIUS servers are unreachable, need local password.". with telnet this contents is display on client between each authentication try but not when i use ssh client. With ssh, i have the following sequence debug1: Doing password authentication. pascal at clin5207's password: Permission denied, please try again. pascal at clin5207's password: Permission denied, please try again. pascal at clin5207's password: Permission denied. I have no indication that radius server is not reachable. Is it possible to fix the problem ? -- ------------------------- Pascal h. -------------------------
Pascal Henri wrote:> I think to have find a small pb with openssh when a Radius server is > unreachable. > I use radius authentication with pam my system-auth is the following[...]> when radius server is unreachable, we display contents of file > radiusfailure "RADIUS servers are unreachable, need local password.". > with telnet this contents is display on client between each > authentication try but not when i use ssh client.Which version of OpenSSH are you using? There were some changes a while back (maybe 4.2p1 or so) whereby the messages returned by PAM were sent to the client as SSH2 banner packets, which should include situations such as this. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Darren Tucker wrote:> Pascal Henri wrote: > >> I think to have find a small pb with openssh when a Radius server is >> unreachable. >> I use radius authentication with pam my system-auth is the following > > [...] > >> when radius server is unreachable, we display contents of file >> radiusfailure "RADIUS servers are unreachable, need local password.". >> with telnet this contents is display on client between each >> authentication try but not when i use ssh client. > > > Which version of OpenSSH are you using? There were some changes a while > back (maybe 4.2p1 or so) whereby the messages returned by PAM were sent > to the client as SSH2 banner packets, which should include situations > such as this. >I use openssh in 3.9p2 currently. So if i use a 4.4 with ssh2 protocol, will it run ? -- ------------------------- Pascal h. Bureau C2080, colombes -------------------------
Pascal Henri wrote:> Darren Tucker wrote: >> Pascal Henri wrote:[...]>>> when radius server is unreachable, we display contents of file >>> radiusfailure "RADIUS servers are unreachable, need local password.". >>> with telnet this contents is display on client between each >>> authentication try but not when i use ssh client. >> >> Which version of OpenSSH are you using? There were some changes a while >> back (maybe 4.2p1 or so) whereby the messages returned by PAM were sent >> to the client as SSH2 banner packets, which should include situations >> such as this. >> > > I use openssh in 3.9p2 currently. So if i use a 4.4 with ssh2 protocol, > will it run ?It depends on exactly what the PAM module does but, yes, it will probably give you the messages you want when using SSH protocol 2 connections (which is the default for most implementations these days). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.