Yubico Forum

Re: Problem integrating PAM and FreeRadius

2009-12-21T18:07:32+01:00

Most excellent. It worked.

Any plans to incorporate that change into the next version?

Statistics: Posted by dave_marsh_pw — Mon Dec 21, 2009 6:07 pm

Re: Problem integrating PAM and FreeRadius

2009-12-21T14:17:00+01:00

Before starting the FreeRADIUS Server from the command line using the "freeradius -X" command, please execute the following command:

Code:

export LD_PRELOAD=/lib/libpam.so.

Please use the version number of the "libpam.so" library available for your platform.

Also, please make the following listed changes to the Yubico PAM module, compile and install it again:

1) Go to the directory where you have downloaded the source code of Yubico PAM module
2) Open "pam_yubico.c" file
3) Find the following code in the "pam_yubico.c" file:

Code:

cfg->yubi_attr = NULL;

4) Append the following code just after the "cfg->yubi_attr = NULL;" code:

Code:

cfg->client_key = NULL;

5) Save the changes to the file
6) Compile and install the Yubico PAM module again

We hope this helps!

Statistics: Posted by network-marvels — Mon Dec 21, 2009 2:17 pm

Re: Problem integrating PAM and FreeRadius

2009-12-18T16:44:16+01:00

as for all of the information requested by network-marvels:

1) OS: Ubuntu 9.10
2) FreeRADIUS Version 2.1.0
3) Yubico PAM: 2.2
4-6) The files are way too large to paste in here and the forum system won't allow me to upload them (it doesn't like the .conf or .txt file extension). Should I just paste them in here or is there a better way?
7)

Code:

auth required pam_yubico.so id=2 debug authfile=/etc/freeradius/yubico.mapping url=http://10.x.x.x:8180/wsapi/verify?id=%d&otp=%s

8)SELinux status: disabled

Statistics: Posted by dave_marsh_pw — Fri Dec 18, 2009 4:44 pm

Re: Problem integrating PAM and FreeRadius

2009-12-18T16:23:40+01:00

so, I realize this is an old topic but I am also having issues integrating PAM and FreeRadius.

I've followed everything in this thread (and searched the forums) but nothing seem to be working.

It looks like FreeRadius is having trouble loading the PAM module. I'm running FreeRadius from the command line so I can see the debug output. The following is the relevant output:

Code:

Info: Found Auth-Type = PAM
Fri Dec 18 10:14:48 2009 : Info: +- entering group authenticate {...}
Fri Dec 18 10:14:48 2009 : Debug: pam_pass: using pamauth string  for pam.conf lookup
Fri Dec 18 10:14:48 2009 : Debug: pam_pass: function pam_authenticate FAILED for . Reason: Module is unknown
Fri Dec 18 10:14:48 2009 : Info: ++[pam] returns reject
Fri Dec 18 10:14:48 2009 : Info: Failed to authenticate the user.

and here is my radiusd file in /etc/pam.d

Code:

auth required /lib/security/pam_yubico.so id=1 debug key=eraser authfile=/etc/freeradius/yubiauthfile.map url=http://yubikey/yubico/validation/ykval-verify?id=%d&otp=%s

If I change 'required' to 'sufficient' instead of 'module is unknown' I get "permission denied". If I replace the yubikey module with the pam_unix module radius authenticates just fine using the regular user password.

I can test my validation server manually and it seems to work. I have also configured SSH to use the exact same yubikey PAM with relatively no issues. I've got pam spitting out debug messages and I see it appending output when I ssh but not when I use 'radtest'

does anybody know what is going on?

Statistics: Posted by dave_marsh_pw — Fri Dec 18, 2009 4:23 pm

Re: Problem integrating PAM and FreeRadius

2009-01-20T15:45:47+01:00

I found a way to make it work :

Code:

export LD_PRELOAD=/lib/libpam.so.0.79

not very pretty, but it solves it for the moment.
could it be related with me using debian !?

Code:

Linux version 2.6.18-6-686 (Debian 2.6.18.dfsg.1-22) (dannf@debian.org) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Tue Jun 17 21:31:27 UTC 2008

So it is just a part of the pam subsystem that is not loaded automagicly. I am not a developer, and not familiar with the pam setup, so - no clue at this time.

But I can continue testing !

Statistics: Posted by Erik — Tue Jan 20, 2009 3:45 pm

Re: Problem integrating PAM and FreeRadius

2009-01-20T07:13:31+01:00

We would appreciate if you can provide us the following information so that we can try to identify the exact problem and provide a solution:

Statistics: Posted by network-marvels — Tue Jan 20, 2009 7:13 am

Re: Problem integrating PAM and FreeRadius

2009-01-19T14:41:24+01:00

I too have this problem integrating with freeradius and pam

Code:

Jan 19 15:18:01 yubico freeradius: PAM unable to dlopen(/lib/security/pam_yubico.so)
Jan 19 15:18:01 yubico freeradius: PAM [dlerror: /lib/security/pam_yubico.so: undefined symbol: pam_get_item]
Jan 19 15:18:01 yubico freeradius: PAM adding faulty module: /lib/security/pam_yubico.so

I put this in /etc/pam.d/radiusd

Code:

auth required pam_yubico.so id=2 debug authfile=/etc/freeradius/yubico.mapping url=http://10.x.x.x:8180/wsapi/verify?id=%d&otp=%s

I "think" I followed the cookbook on the forum, but ... no luck.
Can someone give me a hint.

Statistics: Posted by Erik — Mon Jan 19, 2009 2:41 pm

Re: Problem integrating PAM and FreeRadius

2008-07-24T12:25:28+01:00

olebakk wrote:

Code:

Jul 11 10:13:07 htpc freeradius: PAM [error: /lib/security/pam_yubico.so: undefined symbol: pam_set_data]
Jul 11 10:13:07 htpc freeradius: PAM adding faulty module: /lib/security/pam_yubico.so

Does your PAM library have the pam_set_data symbol? This seems like a weird error to me.

olebakk wrote:

Here is my FreeRadius log:

Code:

pam_pass: using pamauth string  for pam.conf lookup
pam_pass: function pam_authenticate FAILED for . Reason: Module is unknown
  modcall[authenticate]: module "pam" returns reject for request 0
modcall: leaving group authenticate (returns reject) for request 0
auth: Failed to validate the user.

This error seems like it suggests a simple problem: you need a PAM module file "radiusd" or possibly "freeradius". Which name depends on what freeradius uses for PAM module. On my system, it uses "radiusd". So you will have to create a /etc/pam.d/radiusd with the proper PAM content (same as ssh file should work). Does this help?

/Simon

Statistics: Posted by Simon — Thu Jul 24, 2008 12:25 pm

Re: Problem integrating PAM and FreeRadius

2008-07-23T17:42:37+01:00

From http://code.google.com/p/yubico-pam/wiki/ReadMe
I copy Timm's solution here:

---
Use Yubikey for SSH login

http://code.google.com/p/yubico-pam/wiki/ReadMe

Comment by timm.tem, May 08, 2008

Follow exact same instructions but add

"auth sufficient pam_yubico.so id=16 debug" to

/etc/pam.d/ssh at the top!! and the edit /etc/ssh/sshd_config

and make sure that...

ChallengeResponseAuthentication? yes

UsePAM yes

Not required but good pratice

PermitRootLogin? no

Statistics: Posted by paul — Wed Jul 23, 2008 5:42 pm

Re: Problem integrating PAM and FreeRadius

2008-07-12T06:34:48+01:00

Folks,

Here are some of Yubikey PAM deployment cases with FreeRadius that works. Some requires a bit tweaking:

vpn/deployment_cases/

Thanks for comments

Statistics: Posted by paul — Sat Jul 12, 2008 6:34 am

Re: Problem integrating PAM and FreeRadius

2008-07-11T18:49:01+01:00

i'm trying to get the pam module working on etch, and am having problems there. 1.6 and 1.7 don't seem to authenticate (or even prompt), but logins fail when the yubico-pam module is enabled.

debugging doesn't seem to be working either. i've been beating on it for about a day now. did you do anything special to get straight pam without radius running?

Statistics: Posted by gorkab — Fri Jul 11, 2008 6:49 pm

Problem integrating PAM and FreeRadius

2008-07-11T12:00:43+01:00

I've got a few problems getting the PAM modules working. SSH seem to manage to authenticate but doesn't log in, FreeRadius just fails with everything (even with alwaysok). I am using Ubuntu for the tests (as I assumed that would be more compatible than Solaris - which is my next platform to test when I get this working...). I have tried both 1.6 and the SVN 1.7 pre-release.

Both seem to output this in my auth.log

Code:

Jul 11 10:13:07 htpc freeradius: PAM [error: /lib/security/pam_yubico.so: undefined symbol: pam_set_data]
Jul 11 10:13:07 htpc freeradius: PAM adding faulty module: /lib/security/pam_yubico.so

Debug when using SSH - I can't get freeradius to create any debug (probably rejects the PAM):

Code:

[pam_yubico.c:pam_sm_authenticate(105)] called.
[pam_yubico.c:pam_sm_authenticate(106)] flags 1 argc 2
[pam_yubico.c:pam_sm_authenticate(108)] argv[0]=id=205
[pam_yubico.c:pam_sm_authenticate(108)] argv[1]=debug
[pam_yubico.c:pam_sm_authenticate(109)] id=205
[pam_yubico.c:pam_sm_authenticate(110)] debug=1
[pam_yubico.c:pam_sm_authenticate(111)] alwaysok=0
[pam_yubico.c:pam_sm_authenticate(122)] get user returned: olebakk
[pam_yubico.c:pam_sm_authenticate(132)] get password returned: (null)
[pam_yubico.c:pam_sm_authenticate(162)] conv returned: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[pam_yubico.c:pam_sm_authenticate(189)] libyubikey-client return value (0): Success
[pam_yubico.c:pam_sm_authenticate(210)] done. [Success]
[pam_yubico.c:pam_sm_setcred(221)] called.
[pam_yubico.c:pam_sm_setcred(246)] done. [Success]

Here is my FreeRadius log:

Code:

pam_pass: using pamauth string  for pam.conf lookup
pam_pass: function pam_authenticate FAILED for . Reason: Module is unknown
  modcall[authenticate]: module "pam" returns reject for request 0
modcall: leaving group authenticate (returns reject) for request 0
auth: Failed to validate the user.

FYI: libyubikey-client seems to work just fine.

Any ideas?

Statistics: Posted by olebakk — Fri Jul 11, 2008 12:00 pm