FreeRADIUS/pam_radius

getservbyname fails

jangel97 opened this issue · 2 comments

Hi,

My aim is to configure a Radius client via radius pam module, but I am getting some NSS error.

My environment:

  • RHEL 8.5
  • pam_radius-1.4.0-15.el8.x86_64

My /etc/pam_radius.conf:

radius01 secret 100

My /etc/pam.d/sshd:

#%PAM-1.0

auth            required        pam_env.so
auth            sufficient      pam_radius_auth.so debug client_id=linux
auth            requisite       pam_succeed_if.so uid >= 500 quiet
auth            required        pam_deny.so

account         sufficient      pam_succeed_if.so uid < 500 quiet
account         required        pam_permit.so

password        requisite       pam_cracklib.so try_first_pass retry=3
password        required        pam_deny.so

session         required        pam_selinux.so close
session         required        pam_limits.so
session         [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
#session                required        pam_quota.so bsoftlimit=9216 bhardlimit=10240 path=/
session         required        pam_mkhomedir.so umask=0077
session         required        pam_selinux.so open

My /etc/ssh/sshd_config:

Protocol 2
Port 22

ListenAddress 0.0.0.0

# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Logging
SyslogFacility AUTHPRIV
LogLevel INFO

# Authentication
StrictModes yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
UsePAM yes
PubkeyAuthentication no
        # Kerberos options
KerberosAuthentication no
KerberosOrLocalPasswd no
KerberosTicketCleanup no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no

Banner /etc/login-banner

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Standard Options
X11Forwarding yes
MACs hmac-sha2-512,hmac-sha2-256
KexAlgorithms diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
Match Address 0.0.0.0/0
    # Everyone else
    Banner /etc/login-banner
    GSSAPIAuthentication no
    PubkeyAuthentication no

Whenever I try to SSH I can fee following error in /var/log/secure:

Mar 28 12:05:54 bastiontest sshd[2572]: pam_radius_auth: ignore last_pass, force_prompt set
Mar 28 12:05:57 bastiontest sshd[2572]: pam_radius_auth: Sending RADIUS request code 1
Mar 28 12:05:57 bastiontest sshd[2572]: **pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7fcb7effc240.**
Mar 28 12:06:00 bastiontest sshd[2572]: pam_radius_auth: RADIUS server radius01 failed to respond
Mar 28 12:06:00 bastiontest sshd[2572]: pam_radius_auth: All RADIUS servers failed to respond.
Mar 28 12:06:00 bastiontest sshd[2572]: pam_radius_auth: authentication failed
Mar 28 12:06:00 bastiontest sshd[2570]: error: PAM: Authentication failure for user from 10.x.x.x
Mar 28 12:06:00 bastiontest sshd[2573]: pam_radius_auth: Got user name user
Mar 28 12:06:00 bastiontest sshd[2573]: pam_radius_auth: ignore last_pass, force_prompt set

What does this mean? The command getent services radius is working as expected.

Mar 28 12:06:00 bastiontest sshd[2572]: pam_radius_auth: RADIUS server radius01.authmgr.prod.int.rdu2.redhat.com failed to respond

The RADIUS server isn't responding. Most likely because the shared secret is wrong.

Check the debug logs on the RADIUS server.

Nothing arrives to the server, we are using tcpdump to see if traffic network gets there. I think pam_radius is breaking before sending anything.

Most likely there must be some misconfig in my nsswitch.conf.

passwd:     sss files systemd
group:      sss files systemd
netgroup:   sss files
automount:  sss files
services:   sss files
sudoers:    files sss
shadow:     files sss
hosts:      files dns myhostname
aliases:    files
ethers:     files
gshadow:    files
networks:   files dns
protocols:  files
publickey:  files
rpc:        files