Hello,
I have been trying to authenticate users from a linux box (Red Hat ES 4 i386)
using pam_radius (1.3.17), and it always fails, with the message "Bad
password". I have read some other threads on this list telling that the problem
is the secret between the server and the radius (3.17.1-1), and I have
discarded this doing some other tests (changing the secret on the radius shows
up a message on the server telling that the secret is not valid).
So, doing some other tests I have found a problem with the password decryption
on the radius; it seems that the password is not been decrypted correctly. I
have modified the "decode_password" subroutine on Radius.pm, uncommenting the
following lines:
# Uncomment this if you really want to see whats really
# in the password. Useful for finding obscure bugs
my $pwdump = Radius::AttrVal::pclean($pwdout);
&main::log($main::LOG_DEBUG, "Decoded password is $pwdump", $self);
and this is what is it showing up on the trace 4 log:
*** Received from 10.0.124.53 port 27601 ....
Code: Access-Request
Identifier: 108
Authentic: 7<22><216>m<171>zD<191><238>@<181>[zl=<253>
Attributes:
User-Name = "frcm"
User-Password = P<191><5><142>2<222>2_<156><230><224>/.p<171><242>
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "sshd"
NAS-Port = 26576
NAS-Port-Type = Virtual
Service-Type = Authenticate-Only
Calling-Station-Id = "172.16.178.76"
Tue Mar 22 09:19:00 2011: DEBUG: Handling request with Handler
'NAS-Identifier="sshd"'
Tue Mar 22 09:19:00 2011: DEBUG: Deleting session for frcm, 127.0.0.1, 26576
Tue Mar 22 09:19:00 2011: DEBUG: Decoded password is <198>*
uVf<204><1>w<227>-<190>V..<15>
Tue Mar 22 09:19:00 2011: DEBUG: Handling with Radius::AuthSQL
Tue Mar 22 09:19:00 2011: DEBUG: Handling with Radius::AuthSQL: SERVERS
Tue Mar 22 09:19:00 2011: DEBUG: Query is: 'SELECT password FROM usuarios WHERE
username='frcm'':
Tue Mar 22 09:19:00 2011: ERR: Execute failed for 'SELECT password FROM
usuarios WHERE username='frcm'': Lost connection to MySQL server during query
Tue Mar 22 09:19:00 2011: DEBUG: Radius::AuthSQL looks for match with frcm
[frcm]
Tue Mar 22 09:19:00 2011: DEBUG: Decoded password is <198>*
uVf<204><1>w<227>-<190>V..<15>
Tue Mar 22 09:19:00 2011: DEBUG: Radius::AuthSQL REJECT: Bad Password: frcm
[frcm]
Tue Mar 22 09:19:00 2011: DEBUG: AuthBy SQL result: REJECT, Bad Password
Tue Mar 22 09:19:00 2011: INFO: Access rejected for frcm: Bad Password
Tue Mar 22 09:19:00 2011: DEBUG: Packet dump:
*** Sending to 10.0.124.53 port 27601 ....
Code: Access-Reject
Identifier: 108
Authentic: 7<22><216>m<171>zD<191><238>@<181>[zl=<253>
Attributes:
Called-Station-Id = "<198>* uVf<204><1>w<227>-<190>V..<15>"
Reply-Message = "Bad Password"
If I use the radpwtst utility on the server where I am trying to authenticate
from using pam_radius, the password is correctly decoded and is showed up
correctly on the trace4.
So, my question is: does some else have encountered this problem?
Regards.
________________________________
--------------------------------------------------------------------------------
Este mensaje es privado y CONFIDENCIAL y se dirige exclusivamente a su
destinatario. Si usted ha recibido este mensaje por error, no debe revelar,
copiar, distribuir o usarlo en ning?n sentido. Le rogamos lo comunique al
remitente y borre dicho mensaje y cualquier documento adjunto que pudiera
contener. El correo electr?nico via Internet no permite asegurar la
confidencialidad de los mensajes que se transmiten ni su integridad o correcta
recepci?n. JAZZTEL no asume responsabilidad por estas circunstancias. Si el
destinatario de este mensaje no consintiera la utilizaci?n del correo
electr?nico via Internet y la grabaci?n de los mensajes, rogamos lo ponga en
nuestro conocimiento de forma inmediata.Cualquier opini?n expresada en este
mensaje pertenece ?nicamente al autor remitente, y no representa necesariamente
la opini?n de JAZZTEL, a no ser que expresamente se diga y el remitente est?
autorizado para hacerlo.
--------------------------------------------------------------------------------
This message is private and CONFIDENTIAL and it is intended exclusively for its
addressee. If you receive this message in error, you should not disclose, copy,
distribute this e-mail or use it in any other way. Please inform the sender and
delete the message and attachments from your system.Internet e-mail neither
guarantees the confidentiality nor the integrity or proper receipt of the
messages sent. JAZZTEL does not assume any liability for those circumstances.
If the addressee of this message does not consent to the use of Internet e-mail
and message recording, please notify us immediately.Any views or opinions
contained in this message are solely those of the author, and do not
necessarily represent those of JAZZTEL, unless otherwise specifically stated
and the sender is authorised to do so.
--------------------------------------------------------------------------------
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
