You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We've been using pam_radius for a long time on Ubuntu 18.04 with no problems. Due to 18.04 being EOL we're working on upgrading to 22.04. 22.04 includes pam_radius 2.0.0. Due to CIS benchmarks we have ipv6 disabled on our machines and so originally we hit the issue described here: FreeRADIUS/freeradius-server#4397
Using the suggestion from @alandekok in FreeRADIUS/freeradius-server#4397 (comment) I pulled down the current master of pam_radius 77da6f5 and built the debian package locally. Now we're getting passed the IPV6 issue but now I'm hitting:
the following error (this happens on a machine with IPV6 enabled or disabled)
Nov 20 18:31:53 ip-10-30-56-22 sshd[7620]: pam_radius_auth: 2.0.1 (git #77da6f50), built on Nov 2 2021 at 14:37:12
Nov 20 18:31:53 ip-10-30-56-22 sshd[7620]: pam_radius_auth: DEBUG: conf='/etc/pam_radius_auth.conf' use_first_pass=no try_first_pass=no skip_passwd=no retry=0 localifdown=no client_id='' accounting_bug=no ruser=no prompt='Password: ' force_prompt=no prompt_attribute=no max_challenge=0 privilege_level=no
Nov 20 18:31:53 ip-10-30-56-22 sshd[7620]: pam_radius_auth: Got user name: 'mike.roest'
Nov 20 18:31:53 ip-10-30-56-22 sshd[7620]: pam_radius_auth: ignore last_pass, force_prompt set
Nov 20 18:31:53 ip-10-30-56-22 sshd[7618]: fatal: PAM: authentication thread exited unexpectedly
On the same machine with IPV6 enabled if I use the ubuntu included 2.0.0 the authentication works as expected:
Nov 20 18:41:41 ip-10-30-56-22 sshd[8025]: pam_radius_auth: unrecognized option 'ipv6=no'
Nov 20 18:41:41 ip-10-30-56-22 sshd[8025]: pam_radius_auth: Got user name mike.roest
Nov 20 18:41:41 ip-10-30-56-22 sshd[8025]: pam_radius_auth: ignore last_pass, force_prompt set
Nov 20 18:41:45 ip-10-30-56-22 sshd[8025]: pam_radius_auth: Sending RADIUS request code 1
Nov 20 18:41:45 ip-10-30-56-22 sshd[8025]: pam_radius_auth: DEBUG: get_ipaddr(10.30.0.237) returned 0.
Nov 20 18:41:45 ip-10-30-56-22 sshd[8025]: pam_radius_auth: Got RADIUS response code 11
Nov 20 18:41:46 ip-10-30-56-22 sshd[8025]: pam_radius_auth: DEBUG: get_ipaddr(10.30.0.237) returned 0.
Nov 20 18:41:46 ip-10-30-56-22 sshd[8025]: pam_radius_auth: Got response to challenge code 11
Nov 20 18:41:49 ip-10-30-56-22 sshd[8025]: pam_radius_auth: DEBUG: get_ipaddr(10.30.0.237) returned 0.
Nov 20 18:41:49 ip-10-30-56-22 sshd[8025]: pam_radius_auth: Got response to challenge code 2
Nov 20 18:41:49 ip-10-30-56-22 sshd[8025]: pam_radius_auth: authentication succeeded
Nov 20 18:41:49 ip-10-30-56-22 sshd[8023]: Accepted keyboard-interactive/pam for mike.roest from 10.190.77.16 port 61022 ssh2
Nov 20 18:41:49 ip-10-30-56-22 sshd[8023]: pam_unix(sshd:session): session opened for user mike.roest(uid=1015) by (uid=0)
Next I've checked out the commit 8d37353 where the support was originally added and again I can successfully authenticate
Nov 20 18:45:42 ip-10-30-56-22 sshd[9778]: pam_radius_auth: 2.0.1 (git #8d373539), built on Nov 2 2021 at 14:37:12
Nov 20 18:45:42 ip-10-30-56-22 sshd[9778]: pam_radius_auth: DEBUG: conf='/etc/pam_radius_auth.conf' use_first_pass=no try_first_pass=no skip_passwd=no retry=0 localifdown=no client_id='' accounting_bug=no ruser=no prompt='Password: ' force_prompt=no prompt_attribute=no max_challenge=0 privilege_level=no
Nov 20 18:45:42 ip-10-30-56-22 sshd[9778]: pam_radius_auth: Got user name: 'mike.roest'
Nov 20 18:45:42 ip-10-30-56-22 sshd[9778]: pam_radius_auth: ignore last_pass, force_prompt set
Nov 20 18:45:46 ip-10-30-56-22 sshd[9778]: pam_radius_auth: Sending RADIUS request code 1 (Access-Request)
Nov 20 18:45:46 ip-10-30-56-22 sshd[9778]: pam_radius_auth: DEBUG: get_ipaddr(10.30.0.237) returned 0.
Nov 20 18:45:46 ip-10-30-56-22 sshd[9778]: pam_radius_auth: Got RADIUS response code 11 (Access-Challenge)
Nov 20 18:45:48 ip-10-30-56-22 sshd[9778]: pam_radius_auth: DEBUG: get_ipaddr(10.30.0.237) returned 0.
Nov 20 18:45:48 ip-10-30-56-22 sshd[9778]: pam_radius_auth: Got response to challenge code 11
Nov 20 18:45:51 ip-10-30-56-22 sshd[9778]: pam_radius_auth: DEBUG: get_ipaddr(10.30.0.237) returned 0.
Nov 20 18:45:51 ip-10-30-56-22 sshd[9778]: pam_radius_auth: Got response to challenge code 2
Nov 20 18:45:51 ip-10-30-56-22 sshd[9778]: pam_radius_auth: authentication succeeded
Nov 20 18:45:51 ip-10-30-56-22 sshd[9776]: Accepted keyboard-interactive/pam for mike.roest from 10.190.77.16 port 61202 ssh2
Nov 20 18:45:51 ip-10-30-56-22 sshd[9776]: pam_unix(sshd:session): session opened for user mike.roest(uid=1015) by (uid=0)
So it seems like somewhere between 8d37353 and 77da6f5 there was a crasher introduced. I'm going to move forward using the module built from 8d37353 but I thought I would report the issue.
The text was updated successfully, but these errors were encountered:
We've been using pam_radius for a long time on Ubuntu 18.04 with no problems. Due to 18.04 being EOL we're working on upgrading to 22.04. 22.04 includes pam_radius 2.0.0. Due to CIS benchmarks we have ipv6 disabled on our machines and so originally we hit the issue described here:
FreeRADIUS/freeradius-server#4397
Using the suggestion from @alandekok in FreeRADIUS/freeradius-server#4397 (comment) I pulled down the current master of pam_radius 77da6f5 and built the debian package locally. Now we're getting passed the IPV6 issue but now I'm hitting:
the following error (this happens on a machine with IPV6 enabled or disabled)
On the same machine with IPV6 enabled if I use the ubuntu included 2.0.0 the authentication works as expected:
Next I've checked out the commit 8d37353 where the support was originally added and again I can successfully authenticate
So it seems like somewhere between 8d37353 and 77da6f5 there was a crasher introduced. I'm going to move forward using the module built from 8d37353 but I thought I would report the issue.
The text was updated successfully, but these errors were encountered: