Problem with PrivacyIdea-PAM Radius

dangnh · March 26, 2024, 4:59am

I installed PrivacyIdea on Ubuntu 22.0.4 and integrated servers running Ubuntu 16.x.
I followed the instructions but when authenticating, the OTP is always wrong. But when I tested the token on the GUI it was successful.
Can anyone assist me with this issue?

nilsbehlen · March 26, 2024, 8:24am

can you post the log (with debug enabled) of the pam module?

dangnh · March 27, 2024, 3:47am

tail -f /var/log/auth.log

Mar 27 10:11:03 pi-u18 sshd[3223]: Invalid user namnd from 172.28.42.153 port 57892
Mar 27 10:11:03 pi-u18 sshd[3223]: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory
Mar 27 10:11:03 pi-u18 sshd[3223]: PAM adding faulty module: pam_winbind.so
Mar 27 10:11:03 pi-u18 sshd[3223]: PAM unable to dlopen(pam_ecryptfs.so): /lib/security/pam_ecryptfs.so: cannot open shared object file: No such file or directory
Mar 27 10:11:03 pi-u18 sshd[3223]: PAM adding faulty module: pam_ecryptfs.so
Mar 27 10:11:03 pi-u18 sshd[3223]: Postponed keyboard-interactive for invalid user namnd from 172.28.42.153 port 57892 ssh2 [preauth]
Mar 27 10:11:13 pi-u18 sshd[3225]: pam_unix(sshd:auth): check pass; user unknown
Mar 27 10:11:13 pi-u18 sshd[3225]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.28.42.153
Mar 27 10:11:15 pi-u18 sshd[3223]: error: PAM: Authentication failure for illegal user namnd from 172.28.42.153
Mar 27 10:11:15 pi-u18 sshd[3223]: Failed keyboard-interactive/pam for invalid user namnd from 172.28.42.153 port 57892 ssh2
Mar 27 10:11:15 pi-u18 sshd[3223]: Postponed keyboard-interactive for invalid user namnd from 172.28.42.153 port 57892 ssh2 [preauth]
Mar 27 10:11:24 pi-u18 sshd[3226]: pam_unix(sshd:auth): check pass; user unknown
Mar 27 10:11:24 pi-u18 sshd[3226]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.28.42.153
Mar 27 10:11:25 pi-u18 sshd[3223]: error: PAM: Authentication failure for illegal user namnd from 172.28.42.153
Mar 27 10:11:25 pi-u18 sshd[3223]: Failed keyboard-interactive/pam for invalid user namnd from 172.28.42.153 port 57892 ssh2
Mar 27 10:11:25 pi-u18 sshd[3223]: Postponed keyboard-interactive for invalid user namnd from 172.28.42.153 port 57892 ssh2 [preauth]
Mar 27 10:11:30 pi-u18 sshd[3223]: Connection closed by invalid user namnd 172.28.42.153 port 57892 [preauth]
Mar 27 10:17:01 pi-u18 CRON[3237]: PAM unable to dlopen(pam_ecryptfs.so): /lib/security/pam_ecryptfs.so: cannot open shared object file: No such file or directory
Mar 27 10:17:01 pi-u18 CRON[3237]: PAM adding faulty module: pam_ecryptfs.so
Mar 27 10:17:01 pi-u18 CRON[3237]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 27 10:17:01 pi-u18 CRON[3237]: pam_unix(cron:session): session closed for user root
Mar 27 10:34:38 pi-u18 su[3263]: PAM unable to dlopen(pam_ecryptfs.so): /lib/security/pam_ecryptfs.so: cannot open shared object file: No such file or directory
Mar 27 10:34:38 pi-u18 su[3263]: PAM adding faulty module: pam_ecryptfs.so

My radius client configuration:

here are the per-package modules (the “Primary” block)

auth [success=3 default=ignore] pam_radius_auth.so
auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass

here’s the fallback if no module succeeds

auth requisite pam_deny.so

prime the stack with a positive return value if there isn’t one already;

this avoids us returning an error just because nothing sets a success code

since the modules above will each just jump around

auth required pam_permit.so

and here are more per-package modules (the “Additional” block)

auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
~
vim /etc/pam_radius_auth.conf

server[:port] shared_secret timeout (s)

#127.0.0.1 secret 1
10.168.50.177:1812 123456a@ 10
#other-server other-secret 3

dangnh · March 27, 2024, 4:11am

My topology
Privacy server on Ubuntu 22 (privacyidea-radius) → ubuntu client 16.x and 18.x (pam_radius).
I don’t know why it’s always wrong otp.

nilsbehlen · March 27, 2024, 9:16am

i do not see our pam being used and there are a lot of errors.
you might want to check the audit in privacyidea. i dont really know what you want to do, maybe you should get professional help

julio · March 27, 2024, 11:34am

Create the user on the server (not the pi server) where you want to authenticate.

br

Julio

dangnh · March 28, 2024, 4:23am

Mar 28 11:19:51 pi-u18 sshd[5767]: pam_radius_auth: Got user name dangnh@local
Mar 28 11:19:51 pi-u18 sshd[5762]: Postponed keyboard-interactive for invalid user dangnh@local from 172.28.42.207 port 54782 ssh2 [preauth]
Mar 28 11:20:04 pi-u18 sshd[5767]: pam_radius_auth: Sending RADIUS request code 1
Mar 28 11:20:05 pi-u18 sshd[5767]: pam_radius_auth: Got RADIUS response code 3
Mar 28 11:20:05 pi-u18 sshd[5767]: pam_radius_auth: authentication failed

Why did radius response code 3?
I can query to it with username and OTP from PrivcyIdea

root@pi-u18:~# echo User-Name = dangnh,User-Password =778817 | radclient -x -s 10.168.50.178 auth testing123
Sent Access-Request Id 132 from 0.0.0.0:56453 to 10.168.50.178:1812 length 46
User-Name = “dangnh”
User-Password = “778817”
Cleartext-Password = “778817”
Received Access-Accept Id 132 from 10.168.50.178:1812 to 0.0.0.0:0 length 48
Reply-Message = “privacyIDEA access granted”
Packet summary:
Accepted : 1
Rejected : 0
Lost : 0
Passed filter : 1
Failed filter : 0