I was trying to find a PAM-Radius mailing list and it seems that this might be the one.
A Ubuntu 7.4 box needs to be configured such that SSH users will be authenticated against an external FreeRadius server. FreeRadius server version is 1.1.7-1build4. The Ubuntu box uses OpenSSH 4.3-p2 and /etc/ssh/sshd_config is set to “UsePAM yes”. I downloaded PAM_Radius 1.3.17.
Below is the procedure that I use Radius to authenticate a user in /etc/passwd (/etc/shadow doesn’t have the password for that user).
1. FreeRadius server configures its clients.conf and user file to include a new user called “test1”.
2. On my Ubuntu 7.4 box, add a user with command “useradd” to add a user “test1” but don’t set a password. So the user “test1” on the Ubuntu box will be inactive.
3. Configure /etc/pam.d/ssh on the Ubuntu box to use “auth sufficient pam_radius_auth.so”
4. Also update the /etc/raddb/server on the Ubuntu box to point to the remote Radius server IP.
5. Try ssh test1 ubuntu box and it worked. Also monitored the Free Radius logging and it did show that the Access-Request packets went to Radius server.
So step 1-5 worked well for me. Note that at step 2, the user account to be authenticated is added to /etc/passwd.
The issue is: if step 2 is omitted, SSH login will fail. ACCESS_REQUEST packets with INCORRECT password were even sent to the Radius server. Further troubleshooting showed that PAM_Radius module got a bad password from PAM.
I did some research from the website and some emails dated in 2006 said that PAM_Radius can only authenticate user accounts in /etc/passwd file. Is that right?
Many thanks in advance,