Problems with SSH when using pam_radius_auth?

TJ Boyle thomas.boyle at openwave.com
Wed Aug 22 22:13:07 EST 2001 

Hi,

I have installed OpenSSH 2.9p2 on Linux Redhat 7.0 with PAM support and
using pam_radius_auth to authenticate of a radius server also running
Redhat, My problem is that the request goes via the radius server fine
and sends back a rad.accept to the pam module but ssh refuses to let me
in, it looks like sometihng to do with rhosts but complains very loud
about expired accounts. I've looked at the archives and lots of similar
issues but no actual responses, so I'm a bit worried because I think
this is my last resource to tap on for help :/

[root at netmon pam.d]# /usr/local/sbin/sshd -d -d -d
debug1: Seeding random number generator
debug1: sshd version OpenSSH_2.9p2
debug1: private host key: #0 type 0 RSA1
debug3: No RSA1 key file /usr/local/etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: No RSA1 key file /usr/local/etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Invalid argument
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 10.20.110.68 port 3887
debug1: Client protocol version 1.99; client software version 2.4.0 SSH
Secure S
hell for Windows
debug1: match: 2.4.0 SSH Secure Shell for Windows pat ^2\.[2-9]\.
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_2.9p2
debug1: Rhosts Authentication disabled, originating port not trusted.
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha1,diffie-hellman-gro
up1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-c

bc at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,
aes192-cbc,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,rijndael-c

bc at lysator.liu.se
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 at open
ssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit: none,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-dss
debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour
debug2: kex_parse_kexinit: 3des-cbc,blowfish-cbc,twofish-cbc,arcfour
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 1
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: client->server 3des-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: server->client 3des-cbc hmac-md5 none
debug1: dh_gen_key: priv key bits set: 191/384
debug1: bits set: 523/1024
debug1: expecting SSH2_MSG_KEXDH_INIT
debug1: bits set: 524/1024
debug1: sig size 20 20
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user tb0343 service ssh-connection method
none
debug1: attempt 0 failures 0
debug2: input_userauth_request: setting up authctxt for tb0343
debug1: Starting up PAM with username "tb0343"
debug3: Trying to reverse map address 10.20.110.68.
debug1: PAM setting rhost to "capdhcp68"
debug2: input_userauth_request: try method none
Failed none for tb0343 from 10.20.110.68 port 3887 ssh2
debug1: userauth-request for user tb0343 service ssh-connection method
none
debug1: attempt 1 failures 1
debug2: Unrecognized authentication method name: none
Failed none for tb0343 from 10.20.110.68 port 3887 ssh2
debug1: userauth-request for user tb0343 service ssh-connection method
password
debug1: attempt 2 failures 2
debug2: input_userauth_request: try method password
debug1: PAM Password authentication accepted for user "tb0343"
PAM rejected by account configuration[13]: User account has expired
Failed password for tb0343 from 10.20.110.68 port 3887 ssh2


My pam.d/sshd config file looks like this;

#%PAM-1.0
auth       required     /lib/security/pam_securetty.so
auth       sufficient   /lib/security/pam_radius_auth.so debug
auth       required     /lib/security/pam_unix_auth.so
session    required     /lib/security/pam_pwdb.so


my login definitions state that min password age = 0 so I don't see why
it would say the account has expired.

my /var/log/messages  looks like;

Aug 18 00:08:34 netmon sshd[9430]: PAM rejected by account
configuration[13]: User account has expired
Aug 18 00:08:34 netmon sshd[9430]: Failed password for tb0343 from
10.20.110.68 port 3854 ssh2

Any ideas anyone?

TJ

More information about the openssh-unix-dev mailing list