..:: VSFTP - PAM - RADIUS ::..
Alfonso Alejandro Reyes Jiménez
areyes at ibossmonitor.com
Mon Sep 17 22:30:37 UTC 2012
Hi everyone.
I'm trying to use PAM and my radius server in order to authenticate de
users of our vsftp server, right now I'm able to get the access accept
from the radius but PAM seems not to understand it.
Here's my pam configuration:
#%PAM-1.0
auth sufficient pam_radius_auth.so debug
account sufficient pam_radius_auth.so debug
session optional pam_keyinit.so force revoke
auth required pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account include password-auth
session required pam_loginuid.so
session include password-auth
Here's the PAM debug log:
Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Sending RADIUS
request code 1
Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 10657568.
Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Got RADIUS response
code 2
Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: authentication succeeded
Sep 14 10:59:45 CRM vsftpd[9670]: pam_radius_auth: Got user name adgalvanh
Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: Sending RADIUS
request code 1
Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 7122720.
Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: Got RADIUS response
code 2
Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: authentication succeeded
The vsftp has the value:
pam_service_name=vsftpd
On the vsftp log I got the OK LOGIN:
Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client
"172.16.101.100",
"220-###############################################################"
Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client
"172.16.101.100", "220-Todo acceso a este equipo es restringido y
monitoreado, toda"
Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client
"172.16.101.100", "220-actividad es ingresada a una bitacora."
Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client
"172.16.101.100",
"220-###############################################################"
Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client
"172.16.101.100", "220 "
Mon Sep 17 17:28:05 2012 [pid 12728] FTP command: Client
"172.16.101.100", "AUTH TLS"
Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client
"172.16.101.100", "234 Proceed with negotiation."
Mon Sep 17 17:28:05 2012 [pid 12728] DEBUG: Client "172.16.101.100",
"SSL version: TLSv1/SSLv3, SSL cipher: AES128-SHA, not reused, no cert"
Mon Sep 17 17:28:05 2012 [pid 12728] FTP command: Client
"172.16.101.100", "USER aareyes"
Mon Sep 17 17:28:05 2012 [pid 12728] [aareyes] FTP response: Client
"172.16.101.100", "331 Please specify the password."
Mon Sep 17 17:28:05 2012 [pid 12728] [aareyes] FTP command: Client
"172.16.101.100", "PASS <password>"
Mon Sep 17 17:28:05 2012 [pid 12727] [aareyes] OK LOGIN: Client
"172.16.101.100"
But I can't connect from my FTP client:
CYBERDUCK
I/O Error: Connection failed
Unsupported record version Unknown-48.48.
FILEZILLA
Status: Waiting to retry...
Status: Connecting to 172.16.18.113:21...
Status: Connection established, waiting for welcome message...
Response:
220-###############################################################
Response: 220-Todo acceso a este equipo es restringido y monitoreado,
toda
Response: 220-actividad es ingresada a una bitacora.
Response:
220-###############################################################
Response: 220
Command: AUTH TLS
Response: 234 Proceed with negotiation.
Status: Initializing TLS...
Status: Verifying certificate...
Command: USER aareyes
Status: TLS/SSL connection established.
Response: 331 Please specify the password.
Command: PASS **************
Error: GnuTLS error -8: A record packet with illegal version was
received.
Error: Could not connect to server
But according to the log, everything is fine with the authentication,
any ideas?
Thanks in advance for your help.
Regards.
Alfonso.
More information about the Pam-list
mailing list