OpenBSD logins via SSH seem to be ignoring my configured radius server
Posted
by
Steve Kemp
on Server Fault
See other posts from Server Fault
or by Steve Kemp
Published on 2010-08-09T17:39:31Z
Indexed on
2011/01/15
1:54 UTC
Read the original article
Hit count: 392
I've installed and configured a radius server upon my localhost - it is delegating auth to a remote LDAP server.
Initially things look good: I can test via the console:
# export user=skemp
# export pass=xxx
# radtest $user $pass localhost 1812 $secret
Sending Access-Request of id 185 to 127.0.0.1 port 1812
User-Name = "skemp"
User-Password = "xxx"
NAS-IP-Address = 192.168.1.168
NAS-Port = 1812
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=185,
Similarly I can use the login tool to do the same thing:
bash-4.0# /usr/libexec/auth/login_radius -d -s login $user radius
Password: $pass
authorize
However remote logins via SSH are failing, and so are invokations of "login" started by root. Looking at /var/log/radiusd.log I see no actual log of success/failure which I do see when using either of the previous tools.
Instead sshd is just logging:
sshd[23938]: Failed publickey for skemp from 192.168.1.9
sshd[23938]: Failed keyboard-interactive for skemp from 192.168.1.9 port 36259 ssh2
sshd[23938]: Failed password for skemp from 192.168.1.9 port 36259 ssh2
In /etc/login.conf I have this:
# Default allowed authentication styles
auth-defaults:auth=radius:
...
radius:\
:auth=radius:\
:radius-server=localhost:\
:radius-port=1812:\
:radius-timeout=1:\
:radius-retries=5:
© Server Fault or respective owner