I still can't log in using SSH by OTP and own password

Question
1

I have run privacyidea server and freeradius server on ubunutu14.04 by deb pkg.
But now i use freeradius for my ssh user pasword certification,it work .
but when i use it with privacyidea server there Some have problems whit it when i open new xshell and try to login user in /etc/passwd without input pasword the radius -X show me like this more then two time .

rad_recv: Access-Request packet from host 127.0.0.1 port 23695, id=41, length=88
	User-Name = "zore"
	User-Password = "M\333\366\371^/\251z*\020¹X\306O\""
	NAS-IP-Address = 127.0.1.1
	NAS-Identifier = "sshd"
	NAS-Port = 22670
	NAS-Port-Type = Virtual
	Service-Type = Authenticate-Only
	Calling-Station-Id = "192.168.90.1"
# Executing section authorize from file /etc/freeradius/sites-enabled/privacyidea
+- entering group authorize {...}
++[preprocess] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "zore", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "zore", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = Perl
# Executing group from file /etc/freeradius/sites-enabled/privacyidea
+- entering group Perl {...}
rlm_perl: Config File /etc/privacyidea/rlm_perl.ini found!
rlm_perl: Debugging config: 
rlm_perl: Default URL https://localhost/validate/check 
rlm_perl: Looking for config for auth-type Perl
rlm_perl: Auth-Type: Perl
rlm_perl: url: https://localhost/validate/check
rlm_perl: user sent to privacyidea: zore
rlm_perl: realm sent to privacyidea: 
rlm_perl: resolver sent to privacyidea: 
rlm_perl: client sent to privacyidea: 127.0.1.1
rlm_perl: state sent to privacyidea: 
rlm_perl: urlparam pass  
rlm_perl: urlparam user  
rlm_perl: urlparam client  
rlm_perl: Not verifying SSL certificate!
rlm_perl: privacyIDEA request failed: 500 INTERNAL SERVER ERROR
rlm_perl: privacyIDEA Result status is false!
rlm_perl: privacyIDEA access denied
rlm_perl: return RLM_MODULE_REJECT
rlm_perl: Added pair User-Password = M\333\366\371^/\251z*\020¹X\306O\"
rlm_perl: Added pair NAS-Port-Type = Virtual
rlm_perl: Added pair NAS-Port = 22670
rlm_perl: Added pair NAS-Identifier = sshd
rlm_perl: Added pair NAS-IP-Address = 127.0.1.1
rlm_perl: Added pair Service-Type = Authenticate-Only
rlm_perl: Added pair Calling-Station-Id = 192.168.90.1
rlm_perl: Added pair User-Name = zore
rlm_perl: Added pair Reply-Message = 'ascii' codec can't encode character u'\xb9' in position 25: ordinal not in range(128)
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns reject
Failed to authenticate the user.
Delaying reject of request 154 for 1 seconds
Going to the next request
Waking up in 0.8 seconds.
Sending delayed reject for request 154
Sending Access-Reject of id 41 to 127.0.0.1 port 23695
	Reply-Message = "'ascii' codec can't encode character u'\\xb9' in position 25: ordinal not in range(128)"
Waking up in 4.9 seconds.

here is the log of auth.log


Jun 10 19:30:56 ubuntu sshd[22673]: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth
Jun 10 19:30:56 ubuntu sshd[22673]: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
Jun 10 19:30:56 ubuntu sshd[22673]: PAM adding faulty module: pam_winbind.so
Jun 10 19:30:56 ubuntu sshd[22673]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 515816512.
Jun 10 19:30:57 ubuntu sshd[22673]: pam_radius_auth: packet from RADIUS server 127.0.0.1 fails verification: The shared secret is probably incorrect.
Jun 10 19:30:57 ubuntu sshd[22673]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 515816512.
Jun 10 19:30:58 ubuntu sshd[22673]: pam_radius_auth: RADIUS server 127.0.0.1 failed to respond
Jun 10 19:30:58 ubuntu sshd[22673]: pam_radius_auth: DEBUG: get_ipaddr(other-server) returned 0.
Jun 10 19:30:58 ubuntu sshd[22673]: pam_radius_auth: Failed looking up IP address for RADIUS server other-server (errcode=9)
Jun 10 19:30:58 ubuntu sshd[22673]: pam_radius_auth: All RADIUS servers failed to respond.
Jun 10 19:30:58 ubuntu sshd[22673]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 515816512.
Jun 10 19:30:59 ubuntu sshd[22673]: pam_radius_auth: RADIUS server 127.0.0.1 failed to respond
Jun 10 19:30:59 ubuntu sshd[22673]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 515816512.
Jun 10 19:30:59 ubuntu sshd[22673]: pam_radius_auth: packet from RADIUS server 127.0.0.1 fails verification: The shared secret is probably incorrect.
Jun 10 19:31:00 ubuntu sshd[22673]: pam_radius_auth: DEBUG: get_ipaddr(other-server) returned 0.
Jun 10 19:31:00 ubuntu sshd[22673]: pam_radius_auth: Failed looking up IP address for RADIUS server other-server (errcode=9)
Jun 10 19:31:00 ubuntu sshd[22673]: pam_radius_auth: All RADIUS servers failed to respond.
Jun 10 19:31:00 ubuntu sshd[22673]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.90.1  user=zore
Jun 10 19:31:04 ubuntu sshd[22673]: error: Received disconnect from 192.168.90.1: 0:  [preauth]

And when i input the PIN+OTP this maybe let more than five time to succeed
login and i find i can’t use the password in /etc/passwd to login
my conf file like this
THE /etc/pam_radius.conf

127.0.0.1	testing123         1

THE /etc/pam.d/sshd

auth     sufficient   /lib/security/pam_radius_auth.so
auth include password-auth
@include otp-auth
#...... more default

THE /etc/pam.d/otp-auth

auth    [success=3 default=ignore]      pam_radius_auth.so
auth    [success=2 default=ignore]      pam_unix.so nullok_secure try_first_pass
auth    [success=1 default=ignore]      pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeeds
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional        pam_ecryptfs.so unwrap
auth    optional                        pam_cap.so

I have find more it in wiki and google but it Still nothing help .
So can you get me some help ?

With kind regards
Zore

2

I am not sure what you want to achieve and how you want ot login.

The error obivously occurs in privacyIDEA. At least it returns an Error 500 as you can see in the debug output of radius -X. So you should take a look at privacyIDEA!

Take a look at

  1. The audit log in the web ui.
  2. The logfile privacyidea.log.
  3. If you need to, increase the log level to INFO or DEBUG!

But it seems the error occurs due to some character, that can not be decoded. In your password? Or in the username?

Kind regards
Cornelius

3

frist i want use authenticate with either OTP or with the old local password

And this is log from /var/log/privacyidea/privacyidea.log

[2017-06-12 09:17:05,190][1488][140145432008448][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea'
[2017-06-12 09:17:05,191][1488][140145432008448][INFO][privacyidea.lib.user:230] user u'zore' found in resolver u'deflocal'
[2017-06-12 09:17:05,192][1488][140145432008448][INFO][privacyidea.lib.user:231] userid resolved to '1001' 
[2017-06-12 09:17:05,202][1488][140145432008448][ERROR][privacyidea.lib.utils:468] Error parsing the OverrideAuthorizationClient setting: {0!s}! The IP addresses need to be comma separated. Fix this. The client IP will not be mapped!
[2017-06-12 09:17:05,203][1488][140145432008448][WARNING][privacyidea.lib.utils:505] Proxy ::1 not allowed to set IP to 127.0.1.1.
[2017-06-12 09:17:06,184][1488][140145423607552][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea'
[2017-06-12 09:17:06,185][1488][140145423607552][INFO][privacyidea.lib.user:230] user u'zore' found in resolver u'deflocal'
[2017-06-12 09:17:06,185][1488][140145423607552][INFO][privacyidea.lib.user:231] userid resolved to '1001' 
[2017-06-12 09:17:06,197][1488][140145423607552][ERROR][privacyidea.lib.utils:468] Error parsing the OverrideAuthorizationClient setting: {0!s}! The IP addresses need to be comma separated. Fix this. The client IP will not be mapped!
[2017-06-12 09:17:06,198][1488][140145423607552][WARNING][privacyidea.lib.utils:505] Proxy ::1 not allowed to set IP to 127.0.1.1.
[2017-06-12 09:17:20,758][1488][140145432008448][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea'
[2017-06-12 09:17:20,758][1488][140145432008448][INFO][privacyidea.lib.user:230] user u'zore' found in resolver u'deflocal'
[2017-06-12 09:17:20,765][1488][140145432008448][INFO][privacyidea.lib.user:231] userid resolved to '1001' 
[2017-06-12 09:17:20,779][1488][140145432008448][ERROR][privacyidea.lib.utils:468] Error parsing the OverrideAuthorizationClient setting: {0!s}! The IP addresses need to be comma separated. Fix this. The client IP will not be mapped!
[2017-06-12 09:17:20,780][1488][140145432008448][WARNING][privacyidea.lib.utils:505] Proxy ::1 not allowed to set IP to 127.0.1.1.
[2017-06-12 09:17:20,818][1488][140145432008448][ERROR][privacyidea.app:1423] Exception on /validate/check [POST]
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1475, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1461, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 101, in policy_wrapper
    response = wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 101, in policy_wrapper
    response = wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 101, in policy_wrapper
    response = wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 101, in policy_wrapper
    response = wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 101, in policy_wrapper
    response = wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 101, in policy_wrapper
    response = wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 101, in policy_wrapper
    response = wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/postpolicy.py", line 101, in policy_wrapper
    response = wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 117, in policy_wrapper
    return wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 117, in policy_wrapper
    return wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 117, in policy_wrapper
    return wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py", line 91, in check_user_or_serial_in_request_wrapper
    f_result = func(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/subscriptions.py", line 278, in check_subscription_wrapper
    f_result = func(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 117, in policy_wrapper
    return wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", line 60, in event_wrapper
    f_result = func(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/validate.py", line 299, in check
    result, details = check_user_pass(user, password, options=options)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 83, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 214, in auth_user_does_not_exist
    return wrapped_function(user_object, passw, options)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 83, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 177, in auth_user_has_no_token
    return wrapped_function(user_object, passw, options)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 83, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 292, in auth_user_timelimit
    res, reply_dict = wrapped_function(user_object, passw, options)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 83, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 378, in auth_lastauth
    res, reply_dict = wrapped_function(user_or_serial, passw, options)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 83, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 269, in auth_user_passthru
    return wrapped_function(user_object, passw, options)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 154, in log_wrapper
    return func(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", line 1871, in check_user_pass
    options=options)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 154, in log_wrapper
    return func(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", line 1930, in check_token_list
    tokenobject.authenticate(passw, user, options=options)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py", line 44, in token_locked_wrapper
    f_result = func(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokenclass.py", line 441, in authenticate
    pin_match = self.check_pin(pin, user=user, options=options)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 83, in policy_wrapper
    return self.decorator_function(wrapped_function, *args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/policydecorators.py", line 546, in auth_otppin
    return wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/decorators.py", line 44, in token_locked_wrapper
    f_result = func(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokenclass.py", line 402, in check_pin
    res = self.token.check_pin(pin)
  File "/usr/lib/python2.7/dist-packages/privacyidea/models.py", line 380, in check_pin
    mypHash = self.get_hashed_pin(pin)
  File "/usr/lib/python2.7/dist-packages/privacyidea/models.py", line 338, in get_hashed_pin
    self.pin_seed))
UnicodeEncodeError: 'ascii' codec can't encode character u'\u03f8' in position 31: ordinal not in range(128)
[2017-06-12 09:17:21,774][1488][140145423607552][INFO][privacyidea.lib.resolvers.PasswdIdResolver:130] loading users from file /etc/passwd from within '/home/privacyidea'
[2017-06-12 09:17:21,775][1488][140145423607552][INFO][privacyidea.lib.user:230] user u'zore' found in resolver u'deflocal'
[2017-06-12 09:17:21,775][1488][140145423607552][INFO][privacyidea.lib.user:231] userid resolved to '1001' 
[2017-06-12 09:17:21,787][1488][140145423607552][ERROR][privacyidea.lib.utils:468] Error parsing the OverrideAuthorizationClient setting: {0!s}! The IP addresses need to be comma separated. Fix this. The client IP will not be mapped!
[2017-06-12 09:17:21,787][1488][140145423607552][WARNING][privacyidea.lib.utils:505] Proxy ::1 not allowed to set IP to 127.0.1.1.
[2017-06-12 09:17:21,971][1488][140145423607552][INFO][privacyidea.api.lib.postpolicy:430] Can not get unique ID for hostname='localhost' and IP=None. More than one machine found.

And i find now when i login with ssh it may have more then three time certification i Successful authentication in The second authentication and fail in the last time . it mean i Repeat the token.
in radius -X

#...... more default
rlm_perl: Added pair Reply-Message = privacyIDEA access granted
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns ok
  WARNING: Empty post-auth section.  Using default return values.
Sending Access-Accept of id 151 to 127.0.0.1 port 3914
	Reply-Message = "privacyIDEA access granted"
Finished request 25.

#...... more default
rlm_perl: Added pair Reply-Message = wrong otp value. previous otp used again
rlm_perl: Added pair Auth-Type = Perl
++[perl] returns reject
Failed to authenticate the user.
Delaying reject of request 27 for 1 seconds
Going to the next request
Waking up in 0.7 seconds.

and i can’t test the radius user in privacyIDEA webgui like this 

[2017-06-12 10:09:11,069][1488][140145415206656][ERROR][privacyidea.app:1423] Exception on /radiusserver/test_request [POST]
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1475, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1461, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/auth.py", line 313, in decorated_function
    return f(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 117, in policy_wrapper
    return wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 154, in log_wrapper
    return func(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/radiusserver.py", line 145, in test
    r = RADIUSServer.request(s, user, password)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/radiusserver.py", line 101, in request
    response = srv.SendPacket(req)
  File "/usr/lib/python2.7/dist-packages/pyrad/client.py", line 159, in SendPacket
    return self._SendPacket(pkt, self.authport)
  File "/usr/lib/python2.7/dist-packages/pyrad/client.py", line 147, in _SendPacket
    raise Timeout
Timeout

And can you get me any good ideas?I follow this https://www.privacyidea.org/documentation/howtos/manage-two-factor-authentication-in-your-serverfarm-easily/

Kind regards
Zore

4

THere is an utf-8 error in conjunction with your username. This is why the server returns a 500 and the authentication fails.

5

thank you i have Fixing the problem of authentication.but i till unknow the log is like this when i test the radius user in privacyidea web ,the not allowed to set IP to 127.0.0.1. .and more .how can i Repair it?

Proxy ::1 not allowed to set IP to 127.0.0.1.
[2017-06-13 19:07:09,440][1377][140526257809152][ERROR][privacyidea.app:1423] Exception on /radiusserver/test_request [POST]
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1477, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1381, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1475, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/lib/python2.7/dist-packages/flask/app.py", line 1461, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/auth.py", line 313, in decorated_function
    return f(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", line 117, in policy_wrapper
    return wrapped_function(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 154, in log_wrapper
    return func(*args, **kwds)
  File "/usr/lib/python2.7/dist-packages/privacyidea/api/radiusserver.py", line 145, in test
    r = RADIUSServer.request(s, user, password)
  File "/usr/lib/python2.7/dist-packages/privacyidea/lib/radiusserver.py", line 101, in request
    response = srv.SendPacket(req)
  File "/usr/lib/python2.7/dist-packages/pyrad/client.py", line 159, in SendPacket
    return self._SendPacket(pkt, self.authport)
  File "/usr/lib/python2.7/dist-packages/pyrad/client.py", line 147, in _SendPacket
    raise Timeout
Timeout

Kind regards
Zore