[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ..:: VSFTP - PAM - RADIUS ::..



On 9/18/12 8:04 AM, Nick Owen wrote:
On Mon, Sep 17, 2012 at 6:30 PM, Alfonso Alejandro Reyes Jiménez
<areyes ibossmonitor com>  wrote:
Hi everyone.

I'm trying to use PAM and my radius server in order to authenticate de users
of our vsftp server, right now I'm able to get the access accept from the
radius but PAM seems not to understand it.

Here's my pam configuration:

#%PAM-1.0
auth sufficient pam_radius_auth.so debug
account sufficient pam_radius_auth.so debug
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth       required     pam_shells.so
auth       include      password-auth
account    include      password-auth
session    required     pam_loginuid.so
session    include      password-auth

Here's the PAM debug log:

Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Sending RADIUS request
code 1
Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 10657568.
Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: Got RADIUS response code
2
Sep 14 10:59:10 CRM vsftpd[9643]: pam_radius_auth: authentication succeeded
Sep 14 10:59:45 CRM vsftpd[9670]: pam_radius_auth: Got user name adgalvanh
Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: Sending RADIUS request
code 1
Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: DEBUG:
getservbyname(radius, udp) returned 7122720.
Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: Got RADIUS response code
2
Sep 14 10:59:46 CRM vsftpd[9670]: pam_radius_auth: authentication succeeded

The vsftp has the value:

  pam_service_name=vsftpd

On the vsftp log I got the OK LOGIN:
Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
"220-###############################################################"
Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
"220-Todo acceso a este equipo es restringido y monitoreado, toda"
Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
"220-actividad es ingresada a una bitacora."
Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
"220-###############################################################"
Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
"220"
Mon Sep 17 17:28:05 2012 [pid 12728] FTP command: Client "172.16.101.100",
"AUTH TLS"
Mon Sep 17 17:28:05 2012 [pid 12728] FTP response: Client "172.16.101.100",
"234 Proceed with negotiation."
Mon Sep 17 17:28:05 2012 [pid 12728] DEBUG: Client "172.16.101.100", "SSL
version: TLSv1/SSLv3, SSL cipher: AES128-SHA, not reused, no cert"
Mon Sep 17 17:28:05 2012 [pid 12728] FTP command: Client "172.16.101.100",
"USER aareyes"
Mon Sep 17 17:28:05 2012 [pid 12728] [aareyes] FTP response: Client
"172.16.101.100", "331 Please specify the password."
Mon Sep 17 17:28:05 2012 [pid 12728] [aareyes] FTP command: Client
"172.16.101.100", "PASS<password>"
Mon Sep 17 17:28:05 2012 [pid 12727] [aareyes] OK LOGIN: Client
"172.16.101.100"

But I can't connect from my FTP client:

CYBERDUCK

I/O Error: Connection failed
Unsupported record version Unknown-48.48.

FILEZILLA

Status:    Waiting to retry...
Status:    Connecting to 172.16.18.113:21...
Status:    Connection established, waiting for welcome message...
Response:
220-###############################################################
Response:    220-Todo acceso a este equipo es restringido y monitoreado,
toda
Response:    220-actividad es ingresada a una bitacora.
Response:
220-###############################################################
Response:    220
Command:    AUTH TLS
Response:    234 Proceed with negotiation.
Status:    Initializing TLS...
Status:    Verifying certificate...
Command:    USER aareyes
Status:    TLS/SSL connection established.
Response:    331 Please specify the password.
Command:    PASS **************
Error:    GnuTLS error -8: A record packet with illegal version was
Seems like an SSL/TLS error in your certs SFTP server rather than a PAM error.

--
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication

_______________________________________________
Pam-list mailing list
Pam-list redhat com
https://www.redhat.com/mailman/listinfo/pam-list


Thanks for your reply, the issue is now solved. I had to use the ssl_ciphers=HIGH command.

Have a great day.

Regards.

Alfonso.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]