User will not login to shell on RHEL9
Closed this issue · 3 comments
So I wanted to start to use our existing RADIUS server to allow logins to our RHEL9 systems. Since the RADIUS itself is already MFA.
I used the following articles to create my instance.
https://access.redhat.com/solutions/7004459
https://access.redhat.com/solutions/2746251
When I did the radtest my user was accepted and I saw the group from the RADIUS server so then I moved to setup my SSH login to allow this.
Since this was tested well my /etc/pam.conf files are connected properly (so I don't have to expose the server secret and so forth)
I edited the /etc/pam.d/sshd (as instructed)
cat /etc/pam.d/sshd
#%PAM-1.0
auth substack password-auth
auth sufficient pam_radius_auth.so
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
I added my user with no password as directed. I tried to ssh and I get "Permission denied, please try again." my ssh -vvv shows the following
"
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
"
I started a wireshark and I see the packet go out and return accepted.
And I see my RADIUS server accepts the login. but still no shell.
If you get Access-Accept, then the pam_radius code is working correctly.
There are still various other PAM things which may need to succeed before you get a shell. You'll have to see the RedHat documentation for more details.
For example, the system still needs to find the users UID, GID, home directory, login shell, etc. None of that is provided over RADIUS.
So there's not much that the pam_radius code can do here. It's working correctly. The problem is elsewhere.
by creating the user via useradd there is all of the UID,GID, home but to further test your theory I have cloned a box that I have which is fully functional (has all users created with all the groups and such) and I disabled selinux, disabled fips mode (all just for testing) and I still don't get a shell, the logon is fully accepted so there must be something else.
3 9.068388979 10.1.1.53 → 10.1.1.50 RADIUS 135 Access-Request id=78
4 9.106603570 10.1.1.50 → 10.1.1.53 RADIUS 100 Access-Accept id=78
but still no prompt and I get the permission denied message again
Permission denied, please try again.
Again, if the pam_radius module receives an Access-Accept, then it is working properly. The pam_radius module then tells the PAM framework that the user can log in.
If the user still cannot log in, then the problem isn't in the pam_radius module. It's somewhere else in the PAM configuration.
I don't run RedHat, and I know nothing about the large PAM issue. You will have to ask RedHat for help. There's nothing wrong with the pam_radius module.