Re: OpenSSH and pam_radius_auth.so



Comments in-line below:

Per Hedeland wrote:
In article <1168545415.674920.181610@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> "Dave
Isaacs" <dave.isaacs@xxxxxxxxx> writes:
I am running RedHat EL3 with OpenSSH OpenSSH_3.6.1p2.

That is a pretty ancient version, but it might work...

Well, this is the version that came with RH EL3. We are upgrading to
EL4 soon, maybe I should wait. Or maybe I should compile my own,
upgraded, version.

By looking at the logs on my RADIUS server, I can see that the password
is being successfully authenticated, and then a second-factor challenge
is being sent. It appears as if sshd is (1) not displaying the second
factor authentication to the user, and (2) responding to the challenge
with some other piece of information. This of course fails, and the
RADIUS server tries again 2 more times before giving up.

Right, see my post the other day about the difference between password
and keyboard-interactive authentication, and how sshd tries to map the
non-interactiveness of password to the interactiveness of PAM.


Um, I can't find any post about this from "the other day." Could you be
more specific please (such as a subject line)?


This made no difference.

If it made no difference *at all*, i.e. the log still says "Failed
password", the most likely problem is that your SSH *client* isn't
*attempting* keyboard-interactive authentication. The server can't force
it to... The format of the prompt above is another hint in that
direction:

It made no difference *at all*.

$ ssh -o PreferredAuthentications=password somehost
per@somehost's password:

$ ssh -o PreferredAuthentications=keyboard-interactive somehost
Password:

I will try these variations out tomorrow and report the results.

Thanks for the info

Dave I

.



Relevant Pages

  • Re: Rsync problem - still unsolved
    ... not an ssh problem rather than an rsync problem. ... debug: client supports 1 auth methods: 'keyboard-interactive' ... Using keyboard-interactive authentication. ...
    (comp.security.ssh)
  • Re: OpenSSH and pam_radius_auth.so
    ... In article "Dave ... and keyboard-interactive authentication, and how sshd tries to map the ... --Per Hedeland ...
    (comp.security.ssh)
  • Re: SSH doesnt accept password
    ... AF> doesn't connect to my server running ssh 2.9 on FreeBSD. ... AF> other clients running e.g. ssh 2.5. ... Looks as if that client is using keyboard-interactive authentication, ...
    (comp.security.ssh)