API tools faq
paste
Advertisement
Guest User

Thanks.

a guest
Sep 18th, 2017
103
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.94 KB | None | 0 0
raw download clone embed print report
  1. Google Authenticator FreeRADIUS
  2. Discussion in 'Websites & Blogs' started by Justin Whelan, Jun 9, 2017.
  3. Justin Whelan
  4. Justin Whelan
  5. Guest
  6. I'm trying to implement google authenticator PAM module in FreeRADIUS on RHEL7.
  7.  
  8. I've loosely followed this guide: http://www.supertechguy.com/help/security/freeradius-google-auth
  9.  
  10. The reason I say loosely is things appear to have changed with the google module recently so I have built it by performing:
  11.  
  12. sudo yum -y install freeradius freeradius-utils git gcc pam-devel qrencode qrencode-libs qrencode-devel git autoconf automake libtool freeradius-mysql
  13. git clone https://github.com/google/google-authenticator-libpam
  14. Cd google-authenticator-libpam
  15. sudo ./bootstrap.sh
  16. ./configure
  17. make
  18. sudo make install
  19.  
  20.  
  21. This all worked ok. I've then configured the configuration files using the guide. My /etc/pam.d/radiusd file looks like this:
  22.  
  23. #%PAM-1.0
  24. #auth include password-auth
  25. #account required pam_nologin.so
  26. #account include password-auth
  27. #password include password-auth
  28. #session include password-auth
  29. auth requisite pam_google_authenticator.so forward_pass
  30. #auth required pam_unix.so use_first_pass
  31. account required pam_permit.so
  32. session required pam_permit.so
  33.  
  34.  
  35. Everything runs ok but when I attempt to test it I get rejected everytime. I've ran radiusd -X and get the following output when attempting to connect:
  36.  
  37. Received Access-Request Id 168 from 127.0.0.1:48534 to 127.0.0.1:1812 length 77
  38. User-Name = 'username'
  39. User-Password = 'Password'
  40. NAS-IP-Address = 10.133.16.125
  41. NAS-Port = 18120
  42. Message-Authenticator = 0x7ba3ce64279bce1f09a978dd7204ec3f
  43. (0) Received Access-Request packet from host 127.0.0.1 port 48534, id=168, length=77
  44. (0) User-Name = 'username'
  45. (0) User-Password = 'Password'
  46. (0) NAS-IP-Address = 10.133.16.125
  47. (0) NAS-Port = 18120
  48. (0) Message-Authenticator = 0x7ba3ce64279bce1f09a978dd7204ec3f
  49. (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
  50. (0) authorize {
  51. (0) filter_username filter_username {
  52. (0) if (!&User-Name)
  53. (0) if (!&User-Name) -> FALSE
  54. (0) if (&User-Name =~ / /)
  55. (0) if (&User-Name =~ / /) -> FALSE
  56. (0) if (&User-Name =~ /@.*@/ )
  57. (0) if (&User-Name =~ /@.*@/ ) -> FALSE
  58. (0) if (&User-Name =~ /\\.\\./ )
  59. (0) if (&User-Name =~ /\\.\\./ ) -> FALSE
  60. (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
  61. (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
  62. (0) if (&User-Name =~ /\\.$/)
  63. (0) if (&User-Name =~ /\\.$/) -> FALSE
  64. (0) if (&User-Name =~ /@\\./)
  65. (0) if (&User-Name =~ /@\\./) -> FALSE
  66. (0) } # filter_username filter_username = notfound
  67. (0) [preprocess] = ok
  68. (0) [chap] = noop
  69. (0) [mschap] = noop
  70. (0) [digest] = noop
  71. (0) suffix : Checking for suffix after "@"
  72. (0) suffix : No '@' in User-Name = "username", looking up realm NULL
  73. (0) suffix : No such realm "NULL"
  74. (0) [suffix] = noop
  75. (0) eap : No EAP-Message, not doing EAP
  76. (0) [eap] = noop
  77. (0) files : users: Matched entry DEFAULT at line 187
  78. (0) [files] = ok
  79. rlm_sql (sql): Reserved connection (4)
  80. (0) sql : User not found in any groups
  81. rlm_sql (sql): Released connection (4)
  82. rlm_sql (sql): Closing connection (0), from 1 unused connections
  83. rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 540 seconds
  84. rlm_sql (sql): You probably need to lower "min"
  85. rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 540 seconds
  86. rlm_sql (sql): You probably need to lower "min"
  87. rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 540 seconds
  88. rlm_sql (sql): You probably need to lower "min"
  89. (0) [sql] = notfound
  90. (0) [expiration] = noop
  91. (0) [logintime] = noop
  92. (0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
  93. (0) WARNING: pap : Authentication will fail unless a "known good" password is available
  94. (0) [pap] = noop
  95. (0) } # authorize = ok
  96. (0) Found Auth-Type = PAM
  97. (0) # Executing group from file /etc/raddb/sites-enabled/default
  98. (0) authenticate {
  99. pam_pass: using pamauth string <radiusd> for pam.conf lookup
  100. pam_pass: function pam_authenticate FAILED for <username>. Reason: Module is unknown
  101. (0) [pam] = reject
  102. (0) } # authenticate = reject
  103. (0) Failed to authenticate the user
  104. (0) Using Post-Auth-Type Reject
  105. (0) # Executing group from file /etc/raddb/sites-enabled/default
  106. (0) Post-Auth-Type REJECT {
  107. (0) [sql] = noop
  108. (0) attr_filter.access_reject : EXPAND %{User-Name}
  109. (0) attr_filter.access_reject : --> username
  110. (0) attr_filter.access_reject : Matched entry DEFAULT at line 11
  111. (0) [attr_filter.access_reject] = updated
  112. (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
  113. (0) [eap] = noop
  114. (0) remove_reply_message_if_eap remove_reply_message_if_eap {
  115. (0) if (&reply:EAP-Message && &reply:Reply-Message)
  116. (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
  117. (0) else else {
  118. (0) [noop] = noop
  119. (0) } # else else = noop
  120. (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
  121. (0) } # Post-Auth-Type REJECT = updated
  122. (0) Delaying response for 1 seconds
  123. Waking up in 0.3 seconds.
  124. Waking up in 0.6 seconds.
  125. (0) Sending delayed response
  126. (0) Sending Access-Reject packet to host 127.0.0.1 port 48534, id=168, length=0
  127. Sending Access-Reject Id 168 from 127.0.0.1:1812 to 127.0.0.1:48534
  128. Waking up in 3.9 seconds.
  129. (0) Cleaning up request packet ID 168 with timestamp +540
  130. Ready to process requests
  131.  
  132.  
  133. (sorry about the long output). The lines that confuse me are:
  134.  
  135. pam_pass: using pamauth string <radiusd> for pam.conf lookup
  136. pam_pass: function pam_authenticate FAILED for <username>. Reason: Module is unknown
  137.  
  138.  
  139. If I search for the file I get returned:
  140.  
  141. [ ~]$ sudo find / -name "pam_google_authenticator.so"
  142. /usr/local/lib/security/pam_google_authenticator.so
  143. /home//google-authenticator-libpam/.libs/pam_google_authenticator.so
  144. [ ~]$
  145.  
  146.  
  147. and I believe /usr/local/lib/security is the right place but I can't comment 100% on that one.
  148.  
  149. Anyone have any ideas or advice where I can look next or if I am missing something obvious?
  150.  
  151. Thanks.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!