FreeRADIUS Google Dual Factor Authenticator,Pam

时间:2013-09-26 07:01:57

标签: pam freeradius google-authenticator

您好我一直在关注这篇文章来设置FreeRADIUS Google Dual Factor Authenticator

http://www.supertechguy.com/help/security/freeradius-google-auth

测试时间我还是无法上班。如果我的/etc/pam.d/radiusd看起来如下,它可以很好地使用 以下命令

radtest测试测试localhost 18120 testing123 

#
# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
#

# We fall back to the system default in /etc/pam.d/common-*
#

@include common-auth
@include common-account
@include common-password
@include common-session

但是,如果它看起来如下

#
# /etc/pam.d/radiusd - PAM configuration for FreeRADIUS
#

# We fall back to the system default in /etc/pam.d/common-*
#

#@include common-auth
#@include common-account
#@include common-password
#@include common-session

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

我的日志文件说明以下内容并且auth失败。

rad_recv: Access-Request packet from host 127.0.0.1 port 43185, id=111, length=56
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 18120
Thu Sep 26 16:38:19 2013 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/default
Thu Sep 26 16:38:19 2013 : Info: +- entering group authorize {...}
Thu Sep 26 16:38:19 2013 : Info: ++[preprocess] returns ok
Thu Sep 26 16:38:19 2013 : Info: ++[chap] returns noop
Thu Sep 26 16:38:19 2013 : Info: ++[mschap] returns noop
Thu Sep 26 16:38:19 2013 : Info: ++[digest] returns noop
Thu Sep 26 16:38:19 2013 : Info: [suffix] No '@' in User-Name = "test", looking up realm NULL
Thu Sep 26 16:38:19 2013 : Info: [suffix] No such realm "NULL"
Thu Sep 26 16:38:19 2013 : Info: ++[suffix] returns noop
Thu Sep 26 16:38:19 2013 : Info: [eap] No EAP-Message, not doing EAP
Thu Sep 26 16:38:19 2013 : Info: ++[eap] returns noop
Thu Sep 26 16:38:19 2013 : Info: [files] users: Matched entry DEFAULT at line 74
Thu Sep 26 16:38:19 2013 : Info: ++[files] returns ok
Thu Sep 26 16:38:19 2013 : Info: ++[expiration] returns noop
Thu Sep 26 16:38:19 2013 : Info: ++[logintime] returns noop
Thu Sep 26 16:38:19 2013 : Info: [pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
Thu Sep 26 16:38:19 2013 : Info: ++[pap] returns noop
Thu Sep 26 16:38:19 2013 : Info: Found Auth-Type = PAM
Thu Sep 26 16:38:19 2013 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Thu Sep 26 16:38:19 2013 : Info: +- entering group authenticate {...}
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: function pam_authenticate FAILED for <test>. Reason: Cannot make/remove an entry for the specified session
Thu Sep 26 16:38:19 2013 : Info: ++[pam] returns reject
Thu Sep 26 16:38:19 2013 : Info: Failed to authenticate the user.
Thu Sep 26 16:38:19 2013 : Info: Using Post-Auth-Type Reject
Thu Sep 26 16:38:19 2013 : Info: # Executing group from file /etc/freeradius/sites-enabled/default
Thu Sep 26 16:38:19 2013 : Info: +- entering group REJECT {...}
Thu Sep 26 16:38:19 2013 : Info: [attr_filter.access_reject]    expand: %{User-Name} -> test
Thu Sep 26 16:38:19 2013 : Debug:  attr_filter: Matched entry DEFAULT at line 11
Thu Sep 26 16:38:19 2013 : Info: ++[attr_filter.access_reject] returns updated
Thu Sep 26 16:38:19 2013 : Info: Delaying reject of request 0 for 1 seconds
Thu Sep 26 16:38:19 2013 : Debug: Going to the next request
Thu Sep 26 16:38:19 2013 : Debug: Waking up in 0.9 seconds.
Thu Sep 26 16:38:20 2013 : Info: Sending delayed reject for request 0
Sending Access-Reject of id 111 to 127.0.0.1 port 43185
Thu Sep 26 16:38:20 2013 : Debug: Waking up in 4.9 seconds.
Thu Sep 26 16:38:25 2013 : Info: Cleaning up request 0 ID 111 with timestamp +3
Thu Sep 26 16:38:25 2013 : Info: Ready to process requests.

我正在使用Ubuntu最新的

有谁知道这里的问题是什么?

非常感谢

2 个答案:

答案 0 :(得分:2)

经过如此多的网上冲浪和论坛狩猎后,我设法解决了这个问题。如果有其他人遇到此问题,这可能对他们有所帮助:)

Thu Sep 26 16:38:19 2013 : Debug: pam_pass: using pamauth string <radiusd> for pam.conf lookup
Thu Sep 26 16:38:19 2013 : Debug: pam_pass: function pam_authenticate FAILED for <test>. Reason: Cannot make/remove an entry for the specified session

上述行实际上意味着身份验证失败,即使它听起来不像,也可能意味着无法访问用户主目录中的.google_authenticator文件。

FreeRadius日志文件对此问题没有多大帮助,但请查看CentOS上的/ var / log / secure和Ubuntu中的/var/log/auth.log。这将解释哪个是问题。

我的系统问题是我的时间已经结束,我的iPhone上的Google Dual Factor Authenticator应用程序随机生成的数字无效。我不得不安装NTP并将我的服务器时间更改为修正问题的正确时间!!!!

希望这有助于其他人:)

答案 1 :(得分:-1)

Super Tech Guy页面上的操作方法(http://www.supertechguy.com/help/security/freeradius-google-auth)有一个拼写错误。

DEFAULT        Auth-Type := PAM

应该是

DEFAULT        Auth-Type = PAM

我不知道为什么他会在那里放一个冒号,但删除它会解决我的问题。

这是在我确定服务器有正确的时间(和时区)之后,但事实并非如此。所以也谢谢你的建议!

相关问题
最新问题