# PAM + SSH + Freeradius = FAIL



## airtonarantes (Jul 16, 2011)

Hello everyone,

I've just installed a fresh FreeBSD 8.2 to do a lab about SSH authentication using FreeRadius.

What I did: typed at top of /usr/local/etc/raddb/users the following:


```
airton Cleartext-Password := "senhaairton"
```

This is my /usr/local/etc/raddb/clients.conf:


```
client localhost {
        ipaddr          = 127.0.0.1
        secret          = senhaairton
        nastype         = other
}
```

This is my /etc/radius.conf:


```
auth 127.0.0.1 secret 1
```

This is my /etc/pam.d/sshd:


```
# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass
# account
account         required        pam_nologin.so

# INCLUDED BY ME
#
auth            sufficient      pam_radius.so
#
#
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass
```

Okay, so I open another terminal and in one I run

[cmd=]#radiusd -X[/cmd]


```
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
```

So with another terminal I run
[cmd=]ssh airton@127.0.0.1[/cmd]

```
Password:         I'm not typing nothing here, just press ENTER
RADIUS Password:  and show this login prompt, here I type  senhairton
```

The *radiusd -X* results:


```
rad_recv: Access-Request packet from host 127.0.0.1 port 37598, id=156, length=74
	User-Name = "airton"
	User-Password = "senhaairton"
	NAS-Identifier = "radius.plafit.com.br"
	Service-Type = Authenticate-Only
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "airton", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry airton at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "senhaairton"
[pap] Using clear text password "senhaairton"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 156 to 127.0.0.1 port 37598
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 156 with timestamp +313
Ready to process requests.
```

How I can't get a shell if the 
	
	



```
[pap] User authenticated successfully
```
 says this ?

Can anyone here help me?


----------



## Sebulon (Jul 16, 2011)

Hi,

yeah, PAM is a chapter of it's own but I believe you should do it like this instead:

```
# auth
auth            sufficient      pam_opie.so             no_warn no_fake_prompts
auth            requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
[B]auth           sufficient      pam_radius.so[/B]
auth            required        pam_unix.so             no_warn try_first_pass
# account
account         required        pam_nologin.so
```

You cannot end with a "sufficient", so that line needs to come there, in between. That has been a 'doh! for me as well. I hope it helps!

/Sebulon


----------



## airtonarantes (Jul 16, 2011)

Sebulon, you're right, now is working with successful. I'm learning freeradius now, and came malign idea to try radius+ssh heheheh, but because of this, I'm seeing that I have to learn more about PAM...


....thank you very much.


----------



## Sebulon (Jul 16, 2011)

Sweet!

PAM + SSH + Freeradius now = SUCCESS 

/Sebulon


----------

