OpenSSH and pam_radius_auth.so

I am running RedHat EL3 with OpenSSH OpenSSH_3.6.1p2.

I have configured the /etc/pam.d/sshd file as follows

#%PAM-1.0
auth required pam_radius_auth.so debug
account required pam_radius_auth.so
session required pam_radius_auth.so

What I am *expecting* is to be prompted for a password, and then
prompted for some second-factor authentication information, and then
logged in (assuming all authentication information is valid). I used
the same pam configuration for /etc/pam.d/sudo, and it worked exactly
as expected.

But for OpenSSH, this is not what is happening. When I try to ssh into
the computer, I get

# ssh tucker@xxxxxxxxxxx
tucker@xxxxxxxxxxx's password:
Permission denied, please try again.
tucker@xxxxxxxxxxx's password:

If I look at the /var/log/security file, I find

Jan 10 11:30:36 dpiems sshd[23804]: pam_radius_auth: Got user name
tucker
Jan 10 11:30:36 dpiems sshd[23804]: pam_radius_auth: Sending RADIUS
request code 1
Jan 10 11:30:36 dpiems sshd[23804]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 3911708.
Jan 10 11:30:36 dpiems sshd[23804]: pam_radius_auth: Got RADIUS
response code 11
Jan 10 11:30:36 dpiems sshd[23804]: pam_radius_auth: Got response to
challenge code 11
Jan 10 11:30:36 dpiems sshd[23804]: pam_radius_auth: Got response to
challenge code 11
Jan 10 11:30:36 dpiems sshd[23804]: pam_radius_auth: Got response to
challenge code 3
Jan 10 11:30:36 dpiems sshd[23804]: pam_radius_auth: authentication
failed
Jan 10 11:30:36 dpiems sshd[23804]: Failed password for tucker from
10.4.148.25 port 35617 ssh

By looking at the logs on my RADIUS server, I can see that the password
is being successfully authenticated, and then a second-factor challenge
is being sent. It appears as if sshd is (1) not displaying the second
factor authentication to the user, and (2) responding to the challenge
with some other piece of information. This of course fails, and the
RADIUS server tries again 2 more times before giving up.

I then discovered the PAMAuthenticationViaKbdInt entry in the
sshd_config file, and set it to yes (it was commented out previously)
and restarted the sshd service. This made no difference. I have pasted
the content of the sshd_config file below, just in case this is useful
information.

# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $

# This is the sshd server system-wide configuration file. See #
sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where #
possible, but leave them commented. Uncommented options change a #
default value.

#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600 #ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 120
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used #RhostsAuthentication no #
Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes #
For this to work you will also need host keys in
/etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for
protocol version 2 #HostbasedAuthentication no # Change to yes if you
don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and
HostbasedAuthentication #IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication no PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication #
Warning: enabling this may bypass the setting of
'PasswordAuthentication' PAMAuthenticationViaKbdInt yes

#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes

#MaxStartups 10
# no default banner path
Banner /etc/ssh/sshd_banner
#VerifyReverseMapping no
#ShowPatchLevel no
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

.

Relevant Pages

  • Re: Cannot su to root from logged in user
    ... # rhosts authentication should not be used ... # Kerberos TGT Passing only works with the AFS kaserver ... > OpenSSH obeys more of the AIX security restrictions than it did ... > Did you compile openssh yourself or use a pre-built package? ...
    (comp.security.ssh)
  • Re: kerberos and LDAP on Solaris9
    ... How did you do the configuration of Kerberos? ... In my case i am getting an error: permission denied while authentication is performed for a given user-ldapusr. ... I have configured kerberos and LDAP client on a solaris 9 machine to authenticate my Acive Directory users, now the problem is that if the AD user is member of multiple groups, solaris machine do not allow the user to logon. ... Make Yahoo your homepage. ...
    (comp.protocols.kerberos)
  • Re: sshd: cannot disable password authentication, users canalwayslogin with password.
    ... > computer to login to the server with ssh with dsa no problem, ... > password authentication is necessary. ... > # This is the sshd server system-wide configuration file. ... > # Kerberos TGT Passing only works with the AFS kaserver ...
    (freebsd-questions)
  • Problems authenticating users via AD with Kerberos on Solaris 9
    ... We have a Solaris 9 server that we configured to authenticate users via ... Active Directory using Kerberos. ... up but recently for whatever reason, Kerberos authentication does not ... Nothing has changed with regard to the Kerberos configuration (as far as ...
    (SunManagers)
  • Kerberos authentication
    ... In the default exchange 2003 FE/BE configuration, ... Microsoft Exchange Server has detected that NTLM-based authentication is ... Kerberos authentication. ...
    (microsoft.public.exchange.setup)