Hello Charles -
Thanks for the thorough debugging. What I would like to see now is your
configuration file (no secrets), together with any relevant users files.
Specifically I want to know how the AuthBy UNIX is being called twice.
cheers
Hugh
On Tue, 11 Jul 2000, Charles Sprickman wrote:
> Hi,
>
> I found a user on our system that is handled by the AuthUnix clause. We
> have a copy of master.passwd that radiator reads, and it seems to work
> fine. I can log in with the proper password and get rejected with an
> improper password. I have found one case where a user gets in with his
> last good password and his current password.
>
> In short the following is true:
>
> -using any random password gets rejected
> -using current password gets accepted
> -using last password gets accepted
>
> In the master.passwd file, here is the line for the user:
>
> someuser:QMMdCvdnbBmSw:1423:25::0:0:Problem
>User:/home/someuser:/usr/local/bin/noshell
>
> The user is in no other auth file/db.
>
> Here's some of the logfiles (both pass.log and trace):
>
> ---here is an incorrect password
>
> Mon Jul 10 12:31:29 2000:963246689:someuser:900956:QMMdCvdnbBmSw:FAIL
>
> Mon Jul 10 12:31:28 2000: DEBUG: Rewrote user name to someuser
> Mon Jul 10 12:31:28 2000: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Jul 10 12:31:28 2000: DEBUG: Rewrote user name to someuser
> Mon Jul 10 12:31:28 2000: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 10 12:31:28 2000: DEBUG: Handling with Radius::AuthFILE
> Mon Jul 10 12:31:28 2000: DEBUG: Radius::AuthFILE looks for match with
> someuser
> Mon Jul 10 12:31:28 2000: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT
> Mon Jul 10 12:31:28 2000: DEBUG: Handling with Radius::AuthUNIX
> Mon Jul 10 12:31:28 2000: DEBUG: Radius::AuthUNIX looks for match with
> someuser
> Mon Jul 10 12:31:28 2000: DEBUG: Radius::AuthUNIX REJECT: Bad Encrypted
> someuser
> Mon Jul 10 12:31:28 2000: DEBUG: Radius::AuthFILE REJECT: Bad Encrypted
> password
> Mon Jul 10 12:31:28 2000: DEBUG: Handling with Radius::AuthUNIX
> Mon Jul 10 12:31:29 2000: DEBUG: Radius::AuthUNIX looks for match with
> someuser
> Mon Jul 10 12:31:29 2000: DEBUG: Radius::AuthUNIX REJECT: Bad Encrypted
> password
> Mon Jul 10 12:31:29 2000: INFO: Access rejected for someuser: Bad
> Encrypted password
>
> ---here is the current correct password
>
> Mon Jul 10 12:31:44 2000:963246704:someuser:900957:EUKutM..6qzBk:PASS
>
> Mon Jul 10 12:31:44 2000: DEBUG: Rewrote user name to someuser
> Mon Jul 10 12:31:44 2000: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Jul 10 12:31:44 2000: DEBUG: Rewrote user name to someuser
> Mon Jul 10 12:31:44 2000: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 10 12:31:44 2000: DEBUG: Handling with Radius::AuthFILE
> Mon Jul 10 12:31:44 2000: DEBUG: Radius::AuthFILE looks for match with
> someuser
> Mon Jul 10 12:31:44 2000: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT
> Mon Jul 10 12:31:44 2000: DEBUG: Handling with Radius::AuthUNIX
> Mon Jul 10 12:31:44 2000: DEBUG: Radius::AuthUNIX looks for match with
> someuser
> Mon Jul 10 12:31:44 2000: DEBUG: Radius::AuthUNIX ACCEPT:
> Mon Jul 10 12:31:44 2000: DEBUG: Radius::AuthFILE ACCEPT:
> Mon Jul 10 12:31:44 2000: DEBUG: Access accepted for someuser
>
> ---here is the old password (verified that this is not in the
> master.passwd file radiator uses, and he's not in users either)
>
> Mon Jul 10 12:32:08 2000:963246728:someuser:Yyk9052s:EUKutM..6qzBk:FAIL
> Mon Jul 10 12:32:08 2000:963246728:someuser:Yyk9052s:QMMdCvdnbBmSw:PASS
> (note the TWO entries in the password log for one login attempt)
>
> Mon Jul 10 12:32:08 2000: DEBUG: Rewrote user name to someuser
> Mon Jul 10 12:32:08 2000: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Mon Jul 10 12:32:08 2000: DEBUG: Rewrote user name to someuser
> Mon Jul 10 12:32:08 2000: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 10 12:32:08 2000: DEBUG: Handling with Radius::AuthFILE
> Mon Jul 10 12:32:08 2000: DEBUG: Radius::AuthFILE looks for match with
> someuser
> Mon Jul 10 12:32:08 2000: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT
> Mon Jul 10 12:32:08 2000: DEBUG: Handling with Radius::AuthUNIX
> Mon Jul 10 12:32:08 2000: DEBUG: Radius::AuthUNIX looks for match with
> someuser
> Mon Jul 10 12:32:08 2000: DEBUG: Radius::AuthUNIX REJECT: Bad Encrypted
> password
> Mon Jul 10 12:32:08 2000: DEBUG: Radius::AuthFILE REJECT: Bad Encrypted
> password
> --- (NOTE he was rejected by all methods, then it tries again)
> Mon Jul 10 12:32:08 2000: DEBUG: Handling with Radius::AuthUNIX
> Mon Jul 10 12:32:08 2000: DEBUG: Radius::AuthUNIX looks for match with
> someuser
> Mon Jul 10 12:32:08 2000: DEBUG: Radius::AuthUNIX ACCEPT:
> Mon Jul 10 12:32:08 2000: DEBUG: Access accepted for someuser
>
> What could this be?
>
> Thanks,
>
> Charles
>
> | Charles Sprickman | Internet Channel
> | INCH System Administration Team | (212)243-5200
> | [EMAIL PROTECTED] | [EMAIL PROTECTED]
>
>
> ===
> Archive at http://www.starport.net/~radiator/
> Announcements on [EMAIL PROTECTED]
> To unsubscribe, email '[EMAIL PROTECTED]' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc.
Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
