OpenBSD logins via SSH seem to be ignoring my configured radius server

Posted by Steve Kemp on Server Fault See other posts from Server Fault or by Steve Kemp
Published on 2010-08-09T17:39:31Z Indexed on 2011/01/15 1:54 UTC
Read the original article Hit count: 392

Filed under:
|
|
|

I've installed and configured a radius server upon my localhost - it is delegating auth to a remote LDAP server.

Initially things look good: I can test via the console:

# export user=skemp
# export pass=xxx
# radtest $user $pass localhost 1812 $secret
Sending Access-Request of id 185 to 127.0.0.1 port 1812
    User-Name = "skemp"
    User-Password = "xxx"
    NAS-IP-Address = 192.168.1.168
    NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=185,

Similarly I can use the login tool to do the same thing:

bash-4.0# /usr/libexec/auth/login_radius -d -s login $user radius
Password: $pass
authorize

However remote logins via SSH are failing, and so are invokations of "login" started by root. Looking at /var/log/radiusd.log I see no actual log of success/failure which I do see when using either of the previous tools.

Instead sshd is just logging:

 sshd[23938]: Failed publickey for skemp from 192.168.1.9
 sshd[23938]: Failed keyboard-interactive for skemp from 192.168.1.9 port 36259 ssh2
 sshd[23938]: Failed password for skemp from 192.168.1.9 port 36259 ssh2

In /etc/login.conf I have this:

# Default allowed authentication styles
auth-defaults:auth=radius:

...

radius:\
    :auth=radius:\
    :radius-server=localhost:\
    :radius-port=1812:\
    :radius-timeout=1:\
    :radius-retries=5:

© Server Fault or respective owner

Related posts about ssh

Related posts about ldap