Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Google Authenticator FreeRADIUS
- Discussion in 'Websites & Blogs' started by Justin Whelan, Jun 9, 2017.
- Justin Whelan
- Justin Whelan
- Guest
- I'm trying to implement google authenticator PAM module in FreeRADIUS on RHEL7.
- I've loosely followed this guide: http://www.supertechguy.com/help/security/freeradius-google-auth
- The reason I say loosely is things appear to have changed with the google module recently so I have built it by performing:
- sudo yum -y install freeradius freeradius-utils git gcc pam-devel qrencode qrencode-libs qrencode-devel git autoconf automake libtool freeradius-mysql
- git clone https://github.com/google/google-authenticator-libpam
- Cd google-authenticator-libpam
- sudo ./bootstrap.sh
- ./configure
- make
- sudo make install
- This all worked ok. I've then configured the configuration files using the guide. My /etc/pam.d/radiusd file looks like this:
- #%PAM-1.0
- #auth include password-auth
- #account required pam_nologin.so
- #account include password-auth
- #password include password-auth
- #session include password-auth
- auth requisite pam_google_authenticator.so forward_pass
- #auth required pam_unix.so use_first_pass
- account required pam_permit.so
- session required pam_permit.so
- Everything runs ok but when I attempt to test it I get rejected everytime. I've ran radiusd -X and get the following output when attempting to connect:
- Received Access-Request Id 168 from 127.0.0.1:48534 to 127.0.0.1:1812 length 77
- User-Name = 'username'
- User-Password = 'Password'
- NAS-IP-Address = 10.133.16.125
- NAS-Port = 18120
- Message-Authenticator = 0x7ba3ce64279bce1f09a978dd7204ec3f
- (0) Received Access-Request packet from host 127.0.0.1 port 48534, id=168, length=77
- (0) User-Name = 'username'
- (0) User-Password = 'Password'
- (0) NAS-IP-Address = 10.133.16.125
- (0) NAS-Port = 18120
- (0) Message-Authenticator = 0x7ba3ce64279bce1f09a978dd7204ec3f
- (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
- (0) authorize {
- (0) filter_username filter_username {
- (0) if (!&User-Name)
- (0) if (!&User-Name) -> FALSE
- (0) if (&User-Name =~ / /)
- (0) if (&User-Name =~ / /) -> FALSE
- (0) if (&User-Name =~ /@.*@/ )
- (0) if (&User-Name =~ /@.*@/ ) -> FALSE
- (0) if (&User-Name =~ /\\.\\./ )
- (0) if (&User-Name =~ /\\.\\./ ) -> FALSE
- (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
- (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
- (0) if (&User-Name =~ /\\.$/)
- (0) if (&User-Name =~ /\\.$/) -> FALSE
- (0) if (&User-Name =~ /@\\./)
- (0) if (&User-Name =~ /@\\./) -> FALSE
- (0) } # filter_username filter_username = notfound
- (0) [preprocess] = ok
- (0) [chap] = noop
- (0) [mschap] = noop
- (0) [digest] = noop
- (0) suffix : Checking for suffix after "@"
- (0) suffix : No '@' in User-Name = "username", looking up realm NULL
- (0) suffix : No such realm "NULL"
- (0) [suffix] = noop
- (0) eap : No EAP-Message, not doing EAP
- (0) [eap] = noop
- (0) files : users: Matched entry DEFAULT at line 187
- (0) [files] = ok
- rlm_sql (sql): Reserved connection (4)
- (0) sql : User not found in any groups
- rlm_sql (sql): Released connection (4)
- rlm_sql (sql): Closing connection (0), from 1 unused connections
- rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 540 seconds
- rlm_sql (sql): You probably need to lower "min"
- rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 540 seconds
- rlm_sql (sql): You probably need to lower "min"
- rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 540 seconds
- rlm_sql (sql): You probably need to lower "min"
- (0) [sql] = notfound
- (0) [expiration] = noop
- (0) [logintime] = noop
- (0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
- (0) WARNING: pap : Authentication will fail unless a "known good" password is available
- (0) [pap] = noop
- (0) } # authorize = ok
- (0) Found Auth-Type = PAM
- (0) # Executing group from file /etc/raddb/sites-enabled/default
- (0) authenticate {
- pam_pass: using pamauth string <radiusd> for pam.conf lookup
- pam_pass: function pam_authenticate FAILED for <username>. Reason: Module is unknown
- (0) [pam] = reject
- (0) } # authenticate = reject
- (0) Failed to authenticate the user
- (0) Using Post-Auth-Type Reject
- (0) # Executing group from file /etc/raddb/sites-enabled/default
- (0) Post-Auth-Type REJECT {
- (0) [sql] = noop
- (0) attr_filter.access_reject : EXPAND %{User-Name}
- (0) attr_filter.access_reject : --> username
- (0) attr_filter.access_reject : Matched entry DEFAULT at line 11
- (0) [attr_filter.access_reject] = updated
- (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
- (0) [eap] = noop
- (0) remove_reply_message_if_eap remove_reply_message_if_eap {
- (0) if (&reply:EAP-Message && &reply:Reply-Message)
- (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
- (0) else else {
- (0) [noop] = noop
- (0) } # else else = noop
- (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
- (0) } # Post-Auth-Type REJECT = updated
- (0) Delaying response for 1 seconds
- Waking up in 0.3 seconds.
- Waking up in 0.6 seconds.
- (0) Sending delayed response
- (0) Sending Access-Reject packet to host 127.0.0.1 port 48534, id=168, length=0
- Sending Access-Reject Id 168 from 127.0.0.1:1812 to 127.0.0.1:48534
- Waking up in 3.9 seconds.
- (0) Cleaning up request packet ID 168 with timestamp +540
- Ready to process requests
- (sorry about the long output). The lines that confuse me are:
- pam_pass: using pamauth string <radiusd> for pam.conf lookup
- pam_pass: function pam_authenticate FAILED for <username>. Reason: Module is unknown
- If I search for the file I get returned:
- [ ~]$ sudo find / -name "pam_google_authenticator.so"
- /usr/local/lib/security/pam_google_authenticator.so
- /home//google-authenticator-libpam/.libs/pam_google_authenticator.so
- [ ~]$
- and I believe /usr/local/lib/security is the right place but I can't comment 100% on that one.
- Anyone have any ideas or advice where I can look next or if I am missing something obvious?
- Thanks.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement