OpenSSH, Radius, PAM & NOUSER issue
Le Gal Philippe
Philippe.LeGal at emea.eu.int
Wed Jan 18 01:44:12 EST 2006
Hi !
Sorry to bring back the infamous "NOUSER" in the conversation but I didn't get the workaround on that problem.
Firstly, I'm using :
- openssh-3.1p1-15 which is the version which comes by default with my Red Hat Linux Advanced Server release 2.1AS.
- I'm using PAM, set up to use radius. Please find below the /etc/pam.d/sshd file :
#%PAM-1.0
auth sufficient /lib/security/pam_radius_auth.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
session optional /lib/security/pam_console.so
- I'm using the FreeRadius server. It is up and running in debug mode (see output below)
I'm trying to connect to this server using ssh :
ssh test at machine_of_the_test
The login name I used is : test
passwd : test
- This is my var/log/messages :
Jan 16 19:34:59 machine_of_the_test sshd(pam_unix)[17647]: check pass; user unknown
Jan 16 19:34:59 machine_of_the_test sshd(pam_unix)[17647]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=192.168.60.76
- This is the request coming to the radius server. As you can see Username is "NOUSER"
rad_recv: Access-Request packet from host 172.16.zzz.xxx:18299, id=22, length=91
User-Name = "NOUSER"
User-Password = "test"
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "sshd"
NAS-Port = 17274
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "192.168.xxx.xxx"
How can I solve this ? I want sshd to pass on to PAM the real username if it is not found is /etc/passwd and not the fake username "NOUSER". How do I do that ?
I have more than 100 servers to administrate. I need an (very) easy way to do it !
Merci for your help !
Philippe Email: Philippe.LeGal at emea.eu.int
________________________________________________________________________
This e-mail has been scanned for all known viruses by EMEA.
________________________________________________________________________
More information about the openssh-unix-dev
mailing list