getservbyname fails
jangel97 opened this issue · 2 comments
Hi,
My aim is to configure a Radius client via radius pam module, but I am getting some NSS error.
My environment:
- RHEL 8.5
- pam_radius-1.4.0-15.el8.x86_64
My /etc/pam_radius.conf:
radius01 secret 100
My /etc/pam.d/sshd:
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_radius_auth.so debug client_id=linux
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password required pam_deny.so
session required pam_selinux.so close
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
#session required pam_quota.so bsoftlimit=9216 bhardlimit=10240 path=/
session required pam_mkhomedir.so umask=0077
session required pam_selinux.so open
My /etc/ssh/sshd_config:
Protocol 2
Port 22
ListenAddress 0.0.0.0
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Logging
SyslogFacility AUTHPRIV
LogLevel INFO
# Authentication
StrictModes yes
PasswordAuthentication yes
ChallengeResponseAuthentication yes
#ChallengeResponseAuthentication no
UsePAM yes
PubkeyAuthentication no
# Kerberos options
KerberosAuthentication no
KerberosOrLocalPasswd no
KerberosTicketCleanup no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
Banner /etc/login-banner
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Standard Options
X11Forwarding yes
MACs hmac-sha2-512,hmac-sha2-256
KexAlgorithms diffie-hellman-group-exchange-sha256
Ciphers aes256-ctr,aes192-ctr,aes128-ctr
Match Address 0.0.0.0/0
# Everyone else
Banner /etc/login-banner
GSSAPIAuthentication no
PubkeyAuthentication no
Whenever I try to SSH I can fee following error in /var/log/secure:
Mar 28 12:05:54 bastiontest sshd[2572]: pam_radius_auth: ignore last_pass, force_prompt set
Mar 28 12:05:57 bastiontest sshd[2572]: pam_radius_auth: Sending RADIUS request code 1
Mar 28 12:05:57 bastiontest sshd[2572]: **pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 0x7fcb7effc240.**
Mar 28 12:06:00 bastiontest sshd[2572]: pam_radius_auth: RADIUS server radius01 failed to respond
Mar 28 12:06:00 bastiontest sshd[2572]: pam_radius_auth: All RADIUS servers failed to respond.
Mar 28 12:06:00 bastiontest sshd[2572]: pam_radius_auth: authentication failed
Mar 28 12:06:00 bastiontest sshd[2570]: error: PAM: Authentication failure for user from 10.x.x.x
Mar 28 12:06:00 bastiontest sshd[2573]: pam_radius_auth: Got user name user
Mar 28 12:06:00 bastiontest sshd[2573]: pam_radius_auth: ignore last_pass, force_prompt set
What does this mean? The command getent services radius
is working as expected.
Mar 28 12:06:00 bastiontest sshd[2572]: pam_radius_auth: RADIUS server radius01.authmgr.prod.int.rdu2.redhat.com failed to respond
The RADIUS server isn't responding. Most likely because the shared secret is wrong.
Check the debug logs on the RADIUS server.
Nothing arrives to the server, we are using tcpdump to see if traffic network gets there. I think pam_radius is breaking before sending anything.
Most likely there must be some misconfig in my nsswitch.conf.
passwd: sss files systemd
group: sss files systemd
netgroup: sss files
automount: sss files
services: sss files
sudoers: files sss
shadow: files sss
hosts: files dns myhostname
aliases: files
ethers: files
gshadow: files
networks: files dns
protocols: files
publickey: files
rpc: files