ssh, PAM, and radius

Yawn, googlefood.

I set up RADIUS (specifically freeradius) in order to centralize user and password management for all my Cisco devices.

Then I got the brilliant idea “Hey, why don’t I use RADIUS for ssh / unix logins as well?”

Wall, meet head. Bonk. Bonk. I spent half the day struggling with understanding the following log from “freeradius -X”:


[pap] login attempt with password "? INCORRECT"
[pap] Passwords don't match.
Failed to authenticate the user.

and the following red herring in auth.log:

Mar 12 11:15:00 colo-boss sshd[15453]: pam_unix(sshd:auth): check pass; user unknown
Mar 12 11:15:00 colo-boss sshd[15453]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
Mar 12 11:15:01 colo-boss sshd[15453]: Failed password for invalid user dholloway from 127.0.0.1 port 56177 ssh2
Mar 12 11:15:47 colo-boss sshd[15476]: Invalid user dholloway from 127.0.0.1
Mar 12 11:15:52 colo-boss sshd[15476]: pam_radius_auth: RADIUS server 127.0.0.1 failed to respond
Mar 12 11:15:52 colo-boss sshd[15476]: pam_radius_auth: All RADIUS servers failed to respond.

The “RADIUS server .. failed to respond” is a complete red herring; an error message that probably makes sense down another code path in sshd, but not this one.

The real hint is the “check pass; user unknown” line. In other words, it has nothing to do with the passwords. It has to do with the fact that the user doesn’t exist in /etc/passwd. But that makes no sense; why do you have to spread user info over all your systems just to use a centralized RADIUS system to log in?

Already see the answer? Then you’re quicker than I was. Remember that the Unix / Linux operating system has no real concept of “usernames” – A username is just an alias for the all important userid (int) value. But RADIUS only gives usernames, not userid numbers. Ergo, because no userid was found, the debugging output shows “? INCORRECT” for the password, but it was not the password that was incorrect — it was the user name, because it didn’t exist in /etc/passwd.

Ergo, the problem goes away if you provision a local user; then the userid comes from /etc/passwd, and the password check goes through RADIUS via PAM.

Once you find the black magic terms to Google the solution, you find “oh, use LDAP as your database behind RADIUS,” at which point my tolerance for using huge packages with zillions of config options to do one simple thing runs out.

Although, I wonder if using NIS would work…

References:

  • This post hinted at what “? INVALID” was really telling me.
  • and this one made it clear.

Leave a Reply