Re: OpenSSH and pam_radius_auth.so
- From: "Dave Isaacs" <dave.isaacs@xxxxxxxxx>
- Date: 11 Jan 2007 19:49:48 -0800
Comments in-line below:
Per Hedeland wrote:
In article <1168545415.674920.181610@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> "DaveWell, this is the version that came with RH EL3. We are upgrading to
Isaacs" <dave.isaacs@xxxxxxxxx> writes:
I am running RedHat EL3 with OpenSSH OpenSSH_3.6.1p2.
That is a pretty ancient version, but it might work...
EL4 soon, maybe I should wait. Or maybe I should compile my own,
By looking at the logs on my RADIUS server, I can see that the password
is being successfully authenticated, and then a second-factor challenge
is being sent. It appears as if sshd is (1) not displaying the second
factor authentication to the user, and (2) responding to the challenge
with some other piece of information. This of course fails, and the
RADIUS server tries again 2 more times before giving up.
Right, see my post the other day about the difference between password
and keyboard-interactive authentication, and how sshd tries to map the
non-interactiveness of password to the interactiveness of PAM.
Um, I can't find any post about this from "the other day." Could you be
more specific please (such as a subject line)?
It made no difference *at all*.
This made no difference.
If it made no difference *at all*, i.e. the log still says "Failed
password", the most likely problem is that your SSH *client* isn't
*attempting* keyboard-interactive authentication. The server can't force
it to... The format of the prompt above is another hint in that
$ ssh -o PreferredAuthentications=password somehostI will try these variations out tomorrow and report the results.
$ ssh -o PreferredAuthentications=keyboard-interactive somehost
Thanks for the info