Install PrivacyIdea Radius module on Centos ?
621 views
Skip to first unread message
Keef
Dec 15, 2015, 9:05:32 AM12/15/15
to privacyidea
Hi,
We have setup a PrivacyIdea(Ubuntu) server and a LDAP(Centos) server and have now setup a FreeRadius(Centos 7) server but are not sure how we go about getting the Radius server to connect to our PrivacyIdea server. I think we need to install the privacyIdea radius module but are not sure how to go about this.
We had trouble getting PrivacyIdea install on Centos so went with Ubuntu but would prefer to stay on Centos for the radius server. Could someone provide us with some guidance as we're a bit lost with the whole radius thing.
Cheers
Keith
We have setup a PrivacyIdea(Ubuntu) server and a LDAP(Centos) server and have now setup a FreeRadius(Centos 7) server but are not sure how we go about getting the Radius server to connect to our PrivacyIdea server. I think we need to install the privacyIdea radius module but are not sure how to go about this.
We had trouble getting PrivacyIdea install on Centos so went with Ubuntu but would prefer to stay on Centos for the radius server. Could someone provide us with some guidance as we're a bit lost with the whole radius thing.
Cheers
Keith
Cornelius Kölbel
Dec 15, 2015, 9:13:25 AM12/15/15
to priva...@googlegroups.com
Hi Keef,
in fact it is rather simple.
Unfortunately it is split in two parts in the documentation.
I think we have to optimize the docs.
So. first get the plugin.
https://github.com/privacyidea/FreeRADIUS
In fact you simply need one perl module:
https://raw.githubusercontent.com/privacyidea/FreeRADIUS/master/privacyidea_radius.pm
Now add the privacyIDEA plugin to FreeRADIUS:
http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html#freeradius-plugin
The configuration of modules/perl needs to point to the
privacyidea_radius.pm perl module.
Now you can configure the plugin according to:
http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html#rlm-perl-ini
In your case you need to point the URL in your rlm_perl.ini to your
privacyIDEA server.
It is always a good idea to start freeRADIUS in debug mode, to test, if
everything is fine.
freeradius -X
or
radiusd -X
Kind regards
Cornelius
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/f97464d2-4d08-4a26-9a46-2201d2739f19%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
in fact it is rather simple.
Unfortunately it is split in two parts in the documentation.
I think we have to optimize the docs.
So. first get the plugin.
https://github.com/privacyidea/FreeRADIUS
In fact you simply need one perl module:
https://raw.githubusercontent.com/privacyidea/FreeRADIUS/master/privacyidea_radius.pm
Now add the privacyIDEA plugin to FreeRADIUS:
http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html#freeradius-plugin
The configuration of modules/perl needs to point to the
privacyidea_radius.pm perl module.
Now you can configure the plugin according to:
http://privacyidea.readthedocs.org/en/latest/application_plugins/radius.html#rlm-perl-ini
In your case you need to point the URL in your rlm_perl.ini to your
privacyIDEA server.
It is always a good idea to start freeRADIUS in debug mode, to test, if
everything is fine.
freeradius -X
or
radiusd -X
Kind regards
Cornelius
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/f97464d2-4d08-4a26-9a46-2201d2739f19%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel
Keef
Dec 25, 2015, 5:41:16 PM12/25/15
to privacyidea
Hi, I am not having much luck with getting Freeradius to work with PrivacyIDEA could someone help us ? Were using Centos7.... Thanks Keith
echo "User-Name=keith@test-ldap,User-Password=1234vviktrcgjlefrlnihfgklrfvbjvhcukggvekicnnjugf" | radclient localhost:1812 auth testing123
$RAD_REQUEST{'User-Password'} = &request:User-Password -> '1234vviktrcgjlefrlnihfgklrfvbjvhcukggvekicnnjugf'
(8) perl : &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'keith@test-ldap'
(8) perl : &request:User-Password = $RAD_REQUEST{'User-Password'} -> '1234vviktrcgjlefrlnihfgklrfvbjvhcukggvekicnnjugf'
(8) [perl] = ok
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : Looking up realm "test-ldap" for User-Name = "keith@test-ldap"
(8) suffix : No such realm "test-ldap"
(8) [suffix] = noop
(8) eap : No EAP-Message, not doing EAP
(8) [eap] = noop
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(8) WARNING: pap : Authentication will fail unless a "known good" password is available
(8) [pap] = noop
(8) } # authorize = ok
(8) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject : EXPAND %{User-Name}
(8) attr_filter.access_reject : --> keith@test-ldap
(8) attr_filter.access_reject : Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(8) [eap] = noop
(8) remove_reply_message_if_eap remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message)
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else else {
(8) [noop] = noop
(8) } # else else = noop
(8) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(8) } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sending Access-Reject packet to host 127.0.0.1 port 52686, id=14, length=0
Sending Access-Reject Id 14 from 127.0.0.1:1812 to 127.0.0.1:52686
Waking up in 3.9 seconds.
(8) Cleaning up request packet ID 14 with timestamp +526
Ready to process requests
echo "User-Name=keith@test-ldap,User-Password=1234vviktrcgjlefrlnihfgklrfvbjvhcukggvekicnnjugf" | radclient localhost:1812 auth testing123
$RAD_REQUEST{'User-Password'} = &request:User-Password -> '1234vviktrcgjlefrlnihfgklrfvbjvhcukggvekicnnjugf'
(8) perl : &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'keith@test-ldap'
(8) perl : &request:User-Password = $RAD_REQUEST{'User-Password'} -> '1234vviktrcgjlefrlnihfgklrfvbjvhcukggvekicnnjugf'
(8) [perl] = ok
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix : Checking for suffix after "@"
(8) suffix : Looking up realm "test-ldap" for User-Name = "keith@test-ldap"
(8) suffix : No such realm "test-ldap"
(8) [suffix] = noop
(8) eap : No EAP-Message, not doing EAP
(8) [eap] = noop
(8) [files] = noop
(8) [expiration] = noop
(8) [logintime] = noop
(8) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(8) WARNING: pap : Authentication will fail unless a "known good" password is available
(8) [pap] = noop
(8) } # authorize = ok
(8) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(8) Failed to authenticate the user
(8) Using Post-Auth-Type Reject
(8) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(8) Post-Auth-Type REJECT {
(8) attr_filter.access_reject : EXPAND %{User-Name}
(8) attr_filter.access_reject : --> keith@test-ldap
(8) attr_filter.access_reject : Matched entry DEFAULT at line 11
(8) [attr_filter.access_reject] = updated
(8) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(8) [eap] = noop
(8) remove_reply_message_if_eap remove_reply_message_if_eap {
(8) if (&reply:EAP-Message && &reply:Reply-Message)
(8) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(8) else else {
(8) [noop] = noop
(8) } # else else = noop
(8) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(8) } # Post-Auth-Type REJECT = updated
(8) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(8) Sending delayed response
(8) Sending Access-Reject packet to host 127.0.0.1 port 52686, id=14, length=0
Sending Access-Reject Id 14 from 127.0.0.1:1812 to 127.0.0.1:52686
Waking up in 3.9 seconds.
(8) Cleaning up request packet ID 14 with timestamp +526
Ready to process requests
Cornelius Kölbel
Dec 27, 2015, 3:24:40 AM12/27/15
to priva...@googlegroups.com
Hi Keith,
we need some more of your configuration.
Please stick to this documentation.
http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html#freeradius-plugin
If we can identify your problem, we might be able to improve the docs
where necessary.
You need the privacyidea radius perl module, which "translates" the
RADIUS request into the privacyIDEA API.
For this, you need to activate the freeradius "rlm_perl" and you need to
configure the rlm_perl to use the privacyidea's perl module.
FreeRADIUS first "authorizes" the user and the "authenticates" the user.
It looks like you did not send the authorize debug output.
You try to authenticate with the user keith@test-ldap. Probably because
you have a privacyIDEA realm "test-ldap". But freeradius also uses
@test-ldap as a FreeRADIUS realm.
So to keep things simple I recommend in the fist step to define
"test-ldap" as the default realm in your privacyIDEA server and then
authenticate only with "keith" (no realm).
See what happens.
If it still does not help, please send the complete debug output.
Kind regards
Cornelius
we need some more of your configuration.
Please stick to this documentation.
http://privacyidea.readthedocs.org/en/latest/application_plugins/index.html#freeradius-plugin
If we can identify your problem, we might be able to improve the docs
where necessary.
You need the privacyidea radius perl module, which "translates" the
RADIUS request into the privacyIDEA API.
For this, you need to activate the freeradius "rlm_perl" and you need to
configure the rlm_perl to use the privacyidea's perl module.
FreeRADIUS first "authorizes" the user and the "authenticates" the user.
It looks like you did not send the authorize debug output.
You try to authenticate with the user keith@test-ldap. Probably because
you have a privacyIDEA realm "test-ldap". But freeradius also uses
@test-ldap as a FreeRADIUS realm.
So to keep things simple I recommend in the fist step to define
"test-ldap" as the default realm in your privacyIDEA server and then
authenticate only with "keith" (no realm).
See what happens.
If it still does not help, please send the complete debug output.
Kind regards
Cornelius
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/8f8abccb-77a2-4f98-8279-c27796ab02aa%40googlegroups.com.
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
Keef
Jan 7, 2016, 8:27:16 AM1/7/16
to privacyidea
Hi, Sorry for the delay in getting back in touch. I checked and test-ldap was the default realm in PrivacyIdea. Anyway I tried authenticating without the @test-ldap and got the following. Can help ?
echo "User-Name=keith,User-Password=742351" | radclient localhost:1812 auth testing123
(0) -: Expected Access-Accept got Access-Reject
Received Access-Request Id 254 from 127.0.0.1:51650 to 127.0.0.1:1812 length 45
User-Name = 'keith'
User-Password = '742351'
(0) Received Access-Request packet from host 127.0.0.1 port 51650, id=254, length=45
(0) User-Name = 'keith'
(0) User-Password = '742351'
(0) # Executing section authorize from file /etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) perl : $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'keith'
(0) perl : $RAD_REQUEST{'User-Password'} = &request:User-Password -> '742351'
(0) perl : &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'keith'
(0) perl : &request:User-Password = $RAD_REQUEST{'User-Password'} -> '742351'
(0) [perl] = ok
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : No '@' in User-Name = "keith", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> keith
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0) [eap] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
echo "User-Name=keith,User-Password=742351" | radclient localhost:1812 auth testing123
(0) -: Expected Access-Accept got Access-Reject
Received Access-Request Id 254 from 127.0.0.1:51650 to 127.0.0.1:1812 length 45
User-Name = 'keith'
User-Password = '742351'
(0) Received Access-Request packet from host 127.0.0.1 port 51650, id=254, length=45
(0) User-Name = 'keith'
(0) User-Password = '742351'
(0) # Executing section authorize from file /etc/raddb/sites-enabled/privacyidea
(0) authorize {
(0) perl : $RAD_REQUEST{'User-Name'} = &request:User-Name -> 'keith'
(0) perl : $RAD_REQUEST{'User-Password'} = &request:User-Password -> '742351'
(0) perl : &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'keith'
(0) perl : &request:User-Password = $RAD_REQUEST{'User-Password'} -> '742351'
(0) [perl] = ok
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : No '@' in User-Name = "keith", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/privacyidea
(0) Post-Auth-Type REJECT {
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> keith
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0) [eap] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 51650, id=254, length=0
Sending Access-Reject Id 254 from 127.0.0.1:1812 to 127.0.0.1:51650
(0) Sending Access-Reject packet to host 127.0.0.1 port 51650, id=254, length=0
Sending Access-Reject Id 254 from 127.0.0.1:1812 to 127.0.0.1:51650
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 254 with timestamp +21
Ready to process requests
Thanks
Keith
Ready to process requests
Thanks
Keith
Cornelius Kölbel
Jan 7, 2016, 8:59:23 AM1/7/16
to priva...@googlegroups.com
Hi Keith,
configuration still missing.
What does all the eap-if-stuff do there?
This does not look like the default privacyIDEA freeradius config.
Kind regards
Cornelius
configuration still missing.
What does all the eap-if-stuff do there?
This does not look like the default privacyIDEA freeradius config.
Kind regards
Cornelius
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/1ea31d6a-4f9e-4971-ade0-5608d72e9319%40googlegroups.com.
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
Keef
Jan 14, 2016, 9:27:23 AM1/14/16
to privacyidea
Hi Again,
Yesterday I decided to try switching OS from Centos to Ubuntu to see If I could get Freeradius / PrivacyIDEA Perl Module to work on a different OS and it does !!!!!
We had a similar issue getting the PrivacyIDEA Server/App to work on Centos and ended up swtiching to Ubuntu so I can't see us switching back to Centos alteast for anything PrivacyIDEA related.
There are a few issue that I need to sort out but so far I have managed to get one of our Centos servers to authenticate using a htop token !!! :>)
The two issues that are left are as follows, if you think we should raise these seperatly then just say.
1. We get the following error in the output from "radiusd -X" and am not sure if it's a real issue or not but I couldn't find any documentation about it as I am not sure where to look. ?
rlm_perl: ERROR: Failed to create pair privacyIDEA-Serial = OATH000XXXXXX
2. The second issus is that we want to use TFA to log into our servers through a web remote desktop gateway called guacamole (http://guac-dev.org/). As we've got SSH Radius authentication working we're now trying to get a SSH Terminal through
guacamole to a server but the login process is hanging and we're not sure why. Below is output of /var/log/messages from the server that we were trying to log into. It seems like the problem is that it's trying to log in twice which breaked the otp policy we think.
Jan 14 11:23:01 Xserver sshd[9084]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -1475868288.
Jan 14 11:23:02 Xserver sshd[9084]: Accepted password for keith from 192.168.XX.6 port 33244 ssh2
Jan 14 11:23:02 Xserver sshd[9084]: pam_unix(sshd:session): session opened for user keith by (uid=0)
Jan 14 11:23:07 Xserver sshd[9088]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1080871296.
Jan 14 11:23:08 Xserver unix_chkpwd[9090]: password check failed for user (keith)
Jan 14 11:23:08 Xserver sshd[9088]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=guacamole.XXXXXXXXXXXXXXXXXXXX user=keith
Jan 14 11:23:11 Xserver sshd[9088]: Failed password for keith from 192.168.XX.6 port 33245 ssh2
Jan 14 11:23:11 Xserver sshd[9089]: Connection closed by 192.168.XX.6
Thanks for all your help.
Keith
Yesterday I decided to try switching OS from Centos to Ubuntu to see If I could get Freeradius / PrivacyIDEA Perl Module to work on a different OS and it does !!!!!
We had a similar issue getting the PrivacyIDEA Server/App to work on Centos and ended up swtiching to Ubuntu so I can't see us switching back to Centos alteast for anything PrivacyIDEA related.
There are a few issue that I need to sort out but so far I have managed to get one of our Centos servers to authenticate using a htop token !!! :>)
The two issues that are left are as follows, if you think we should raise these seperatly then just say.
1. We get the following error in the output from "radiusd -X" and am not sure if it's a real issue or not but I couldn't find any documentation about it as I am not sure where to look. ?
rlm_perl: ERROR: Failed to create pair privacyIDEA-Serial = OATH000XXXXXX
2. The second issus is that we want to use TFA to log into our servers through a web remote desktop gateway called guacamole (http://guac-dev.org/). As we've got SSH Radius authentication working we're now trying to get a SSH Terminal through
guacamole to a server but the login process is hanging and we're not sure why. Below is output of /var/log/messages from the server that we were trying to log into. It seems like the problem is that it's trying to log in twice which breaked the otp policy we think.
Jan 14 11:23:01 Xserver sshd[9084]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -1475868288.
Jan 14 11:23:02 Xserver sshd[9084]: Accepted password for keith from 192.168.XX.6 port 33244 ssh2
Jan 14 11:23:02 Xserver sshd[9084]: pam_unix(sshd:session): session opened for user keith by (uid=0)
Jan 14 11:23:07 Xserver sshd[9088]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 1080871296.
Jan 14 11:23:08 Xserver unix_chkpwd[9090]: password check failed for user (keith)
Jan 14 11:23:08 Xserver sshd[9088]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=guacamole.XXXXXXXXXXXXXXXXXXXX user=keith
Jan 14 11:23:11 Xserver sshd[9088]: Failed password for keith from 192.168.XX.6 port 33245 ssh2
Jan 14 11:23:11 Xserver sshd[9089]: Connection closed by 192.168.XX.6
Thanks for all your help.
Keith
Cornelius Kölbel
Jan 14, 2016, 10:11:28 AM1/14/16
to priva...@googlegroups.com
Hi Keef,
Am Donnerstag, den 14.01.2016, 06:27 -0800 schrieb Keef:
> Hi Again,
>
> Yesterday I decided to try switching OS from Centos to Ubuntu to see
> If I could get Freeradius / PrivacyIDEA Perl Module to work on a
> different OS and it does !!!!!
> We had a similar issue getting the PrivacyIDEA Server/App to work on
> Centos and ended up swtiching to Ubuntu so I can't see us switching
> back to Centos alteast for anything PrivacyIDEA related.
>
> There are a few issue that I need to sort out but so far I have
> managed to get one of our Centos servers to authenticate using a htop
> token !!! :>)
> The two issues that are left are as follows, if you think we should
> raise these seperatly then just say.
>
>
> 1. We get the following error in the output from "radiusd -X" and am
> not sure if it's a real issue or not but I couldn't find any
> documentation about it as I am not sure where to look. ?
> rlm_perl: ERROR: Failed to create pair privacyIDEA-Serial =
> OATH000XXXXXX
You need to add additional RADIUS Value Pairs.
Create a file /etc/[radiusd|freeradius]/dictionary.netknights
with the following content:
--snip--
VENDOR NetKnights 44929
# Backwards compatibility.
BEGIN-VENDOR NetKnights
ATTRIBUTE privacyIDEA-Serial 1 string
ATTRIBUTE privacyIDEA-Realm 2 string
ATTRIBUTE privacyIDEA-Resolver 3 string
END-VENDOR NetKnights
--snap--
In your dictionary file do
$INCLUDE dictionary.netknights
> 2. The second issus is that we want to use TFA to log into our servers
> through a web remote desktop gateway called guacamole
> (http://guac-dev.org/). As we've got SSH Radius authentication working
> we're now trying to get a SSH Terminal through
> guacamole to a server but the login process is hanging and we're not
> sure why. Below is output of /var/log/messages from the server that we
> were trying to log into. It seems like the problem is that it's trying
> to log in twice which breaked the otp policy we think.
>
> Jan 14 11:23:01 Xserver sshd[9084]: pam_radius_auth: DEBUG:
> getservbyname(radius, udp) returned -1475868288.
> Jan 14 11:23:02 Xserver sshd[9084]: Accepted password for keith from
> 192.168.XX.6 port 33244 ssh2
> Jan 14 11:23:02 Xserver sshd[9084]: pam_unix(sshd:session): session
> opened for user keith by (uid=0)
>
> Jan 14 11:23:07 Xserver sshd[9088]: pam_radius_auth: DEBUG:
> getservbyname(radius, udp) returned 1080871296.
> Jan 14 11:23:08 Xserver unix_chkpwd[9090]: password check failed for
> user (keith)
> Jan 14 11:23:08 Xserver sshd[9088]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=guacamole.XXXXXXXXXXXXXXXXXXXX user=keith
> Jan 14 11:23:11 Xserver sshd[9088]: Failed password for keith from
> 192.168.XX.6 port 33245 ssh2
> Jan 14 11:23:11 Xserver sshd[9089]: Connection closed by 192.168.XX.6
This does not sound good.
I heard this from another Remote-X-Server Vendor, that authentication
checks the password twice for some reason. (Design flaw?)
So at the moment there is no easy solution to this.
Way to go would be:
Dig into the guacamole (hm, yummy) and see and understand why this
happens. (maybe there could be some PAM voodoo)
At this point I can not tell anything more...
This is an old discussion, but I really do not like to break the sense
to one time passwords and allow a one time password to be used twice.
Kind regards
Cornelius
>
> Thanks for all your help.
> Keith
>
Am Donnerstag, den 14.01.2016, 06:27 -0800 schrieb Keef:
> Hi Again,
>
> Yesterday I decided to try switching OS from Centos to Ubuntu to see
> If I could get Freeradius / PrivacyIDEA Perl Module to work on a
> different OS and it does !!!!!
> We had a similar issue getting the PrivacyIDEA Server/App to work on
> Centos and ended up swtiching to Ubuntu so I can't see us switching
> back to Centos alteast for anything PrivacyIDEA related.
>
> There are a few issue that I need to sort out but so far I have
> managed to get one of our Centos servers to authenticate using a htop
> token !!! :>)
> The two issues that are left are as follows, if you think we should
> raise these seperatly then just say.
>
>
> 1. We get the following error in the output from "radiusd -X" and am
> not sure if it's a real issue or not but I couldn't find any
> documentation about it as I am not sure where to look. ?
> rlm_perl: ERROR: Failed to create pair privacyIDEA-Serial =
> OATH000XXXXXX
Create a file /etc/[radiusd|freeradius]/dictionary.netknights
with the following content:
--snip--
VENDOR NetKnights 44929
# Backwards compatibility.
BEGIN-VENDOR NetKnights
ATTRIBUTE privacyIDEA-Serial 1 string
ATTRIBUTE privacyIDEA-Realm 2 string
ATTRIBUTE privacyIDEA-Resolver 3 string
END-VENDOR NetKnights
--snap--
In your dictionary file do
$INCLUDE dictionary.netknights
> 2. The second issus is that we want to use TFA to log into our servers
> through a web remote desktop gateway called guacamole
> (http://guac-dev.org/). As we've got SSH Radius authentication working
> we're now trying to get a SSH Terminal through
> guacamole to a server but the login process is hanging and we're not
> sure why. Below is output of /var/log/messages from the server that we
> were trying to log into. It seems like the problem is that it's trying
> to log in twice which breaked the otp policy we think.
>
> Jan 14 11:23:01 Xserver sshd[9084]: pam_radius_auth: DEBUG:
> getservbyname(radius, udp) returned -1475868288.
> Jan 14 11:23:02 Xserver sshd[9084]: Accepted password for keith from
> 192.168.XX.6 port 33244 ssh2
> Jan 14 11:23:02 Xserver sshd[9084]: pam_unix(sshd:session): session
> opened for user keith by (uid=0)
>
> Jan 14 11:23:07 Xserver sshd[9088]: pam_radius_auth: DEBUG:
> getservbyname(radius, udp) returned 1080871296.
> Jan 14 11:23:08 Xserver unix_chkpwd[9090]: password check failed for
> user (keith)
> Jan 14 11:23:08 Xserver sshd[9088]: pam_unix(sshd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=guacamole.XXXXXXXXXXXXXXXXXXXX user=keith
> Jan 14 11:23:11 Xserver sshd[9088]: Failed password for keith from
> 192.168.XX.6 port 33245 ssh2
> Jan 14 11:23:11 Xserver sshd[9089]: Connection closed by 192.168.XX.6
I heard this from another Remote-X-Server Vendor, that authentication
checks the password twice for some reason. (Design flaw?)
So at the moment there is no easy solution to this.
Way to go would be:
Dig into the guacamole (hm, yummy) and see and understand why this
happens. (maybe there could be some PAM voodoo)
At this point I can not tell anything more...
This is an old discussion, but I really do not like to break the sense
to one time passwords and allow a one time password to be used twice.
Kind regards
Cornelius
>
> Thanks for all your help.
> Keith
>
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/9e85a3eb-7a8c-48aa-b65e-97ebc754aa52%40googlegroups.com.
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> To view this discussion on the web visit
Reply all
Reply to author
Forward
0 new messages