OpenSSH, Radius, PAM & NOUSER issue

Le Gal Philippe Philippe.LeGal at emea.eu.int
Wed Jan 18 01:44:12 EST 2006


Hi !
 
Sorry to bring back the infamous "NOUSER" in the conversation but I didn't get the workaround on that problem. 
 
Firstly, I'm using :
 
- openssh-3.1p1-15 which is the version which comes by default with my Red Hat Linux Advanced Server release 2.1AS.
 
- I'm using PAM, set up to use radius. Please find below the /etc/pam.d/sshd file :
 
#%PAM-1.0
auth       sufficient     /lib/security/pam_radius_auth.so
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so

- I'm using the FreeRadius server. It is up and running in debug mode (see output below)
 
I'm trying to connect to this server using ssh :
 
ssh test at machine_of_the_test
 
The login name I used is : test
passwd : test
 
- This is my var/log/messages :
 
Jan 16 19:34:59 machine_of_the_test sshd(pam_unix)[17647]: check pass; user unknown
Jan 16 19:34:59 machine_of_the_test sshd(pam_unix)[17647]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=192.168.60.76
 
- This is the request coming to the radius server. As you can see Username is "NOUSER"
 
rad_recv: Access-Request packet from host 172.16.zzz.xxx:18299, id=22, length=91
        User-Name = "NOUSER"
        User-Password = "test"
        NAS-IP-Address = 127.0.0.1
        NAS-Identifier = "sshd"
        NAS-Port = 17274
        NAS-Port-Type = Virtual
        Service-Type = Authenticate-Only
        Calling-Station-Id = "192.168.xxx.xxx"

How can I solve this ? I want sshd to pass on to PAM the real username if it is not found is /etc/passwd and not the fake username "NOUSER". How do I do that ? 
I have more than 100 servers to administrate. I need an (very) easy way to do it !
 
Merci for your help !
Philippe Email: Philippe.LeGal at emea.eu.int

________________________________________________________________________
This e-mail has been scanned for all known viruses by EMEA.
________________________________________________________________________




More information about the openssh-unix-dev mailing list