INCORRECT password string sent by sshd via pam radius
Contents |
versions
gentoo package names and versions:
sys-libs/pam version 1.2.1
sys-auth/pam_radius version 1.3.17-r1
net-dialup/freeradius 3.0.14
problem description
A newly setup pam_radius client is failing sshd authentication via a freeradius server. The radius secret is correct. The password string is not the password entered on the client.
error messages
radius server error messages
These error messages were debug mode output on the terminal after manually starting the radius server in debug mode with the command: radiusd -X
pap: ERROR: Cleartext password "? ?INCORRECT" does not match "known good" password
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
the password string "? ?INCORRECT" should be the actually password entered on the client, but it isn't. depending on the length of the password entered you may get more or less of this mangled password string. for example... if you enter a six digit password you might see...
pap: ERROR: Cleartext password "? ?IN" does not match "known good" password
or a longer password could give you repeats of the string...
pap: ERROR: Cleartext password "? ?INCORRECT? ?INCORRECT? " does not match "known good" password
sshd error messages
Oct 15 02:24:23 gentoobase64 sshd[8341] Invalid user jsmith from 10.9.1.26 port 35160 Oct 15 02:24:23 gentoobase64 sshd[8341]: input_userauth_request: invalid user jsmith [preauth]
sshd error messages should be found somewhere in /var/log/. the exact location veries depending on your syslog setup.
root cause
pam is expecting the user account to exist locally but it doesn't. Somehow pam or pam_radius rewrites the password string sent to the radius server to read something like"? ?INCORRECT". This behaviour is controlled by pam via /etc/pam.d/sshd. Similar issues may occur with other applications. The specific line requiring the user account to exist locally is...
account include system-remote-login
read the pam manpage for more info on this file configuration parameters
solution
1) create the user account locally with useradd. you don't need to create the password since that will be configured on the radius server.
or
2) reconfigure pam to not require the user account to exist locally. This is controlled by /etc/pam.d/sshd.
links
Troubleshooting (official freeradius site)
http://freeradius.1045715.n5.nabble.com/ssh-authentication-failed-problem-use-freeradius-amp-pam-radius-td5687733.html
http://freeradius.1045715.n5.nabble.com/ssh-cleartext-password-quot-INCORRECT-quot-td2775727.html