Estou tentando implementar o módulo PAM do Google authenticator no FreeRADIUS no RHEL7.
Eu segui este guia: link
A razão pela qual eu digo vagamente é que as coisas parecem ter mudado com o módulo do google recentemente, então eu o construí, realizando:
sudo yum -y install freeradius freeradius-utils git gcc pam-devel qrencode qrencode-libs qrencode-devel git autoconf automake libtool freeradius-mysql
git clone https://github.com/google/google-authenticator-libpam
Cd google-authenticator-libpam
sudo ./bootstrap.sh
./configure
make
sudo make install
Isso tudo funcionou bem. Eu configurei os arquivos de configuração usando o guia. Meu arquivo /etc/pam.d/radiusd tem esta aparência:
#%PAM-1.0
#auth include password-auth
#account required pam_nologin.so
#account include password-auth
#password include password-auth
#session include password-auth
auth requisite pam_google_authenticator.so forward_pass
#auth required pam_unix.so use_first_pass
account required pam_permit.so
session required pam_permit.so
Tudo corre bem, mas quando tento testá-lo, sou rejeitado toda vez. Eu corri radiusd -X e recebo a seguinte saída ao tentar se conectar:
Received Access-Request Id 168 from 127.0.0.1:48534 to 127.0.0.1:1812 length 77
User-Name = 'username'
User-Password = 'Password'
NAS-IP-Address = 10.133.16.125
NAS-Port = 18120
Message-Authenticator = 0x7ba3ce64279bce1f09a978dd7204ec3f
(0) Received Access-Request packet from host 127.0.0.1 port 48534, id=168, length=77
(0) User-Name = 'username'
(0) User-Password = 'Password'
(0) NAS-IP-Address = 10.133.16.125
(0) NAS-Port = 18120
(0) Message-Authenticator = 0x7ba3ce64279bce1f09a978dd7204ec3f
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\.\./ )
(0) if (&User-Name =~ /\.\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\.$/)
(0) if (&User-Name =~ /\.$/) -> FALSE
(0) if (&User-Name =~ /@\./)
(0) if (&User-Name =~ /@\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : No '@' in User-Name = "username", looking up realm NULL
(0) suffix : No such realm "NULL"
(0) [suffix] = noop
(0) eap : No EAP-Message, not doing EAP
(0) [eap] = noop
(0) files : users: Matched entry DEFAULT at line 187
(0) [files] = ok
rlm_sql (sql): Reserved connection (4)
(0) sql : User not found in any groups
rlm_sql (sql): Released connection (4)
rlm_sql (sql): Closing connection (0), from 1 unused connections
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 540 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 540 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 540 seconds
rlm_sql (sql): You probably need to lower "min"
(0) [sql] = notfound
(0) [expiration] = noop
(0) [logintime] = noop
(0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type
(0) WARNING: pap : Authentication will fail unless a "known good" password is available
(0) [pap] = noop
(0) } # authorize = ok
(0) Found Auth-Type = PAM
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <username>. Reason: Module is unknown
(0) [pam] = reject
(0) } # authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Post-Auth-Type REJECT {
(0) [sql] = noop
(0) attr_filter.access_reject : EXPAND %{User-Name}
(0) attr_filter.access_reject : --> username
(0) attr_filter.access_reject : Matched entry DEFAULT at line 11
(0) [attr_filter.access_reject] = updated
(0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0) [eap] = noop
(0) remove_reply_message_if_eap remove_reply_message_if_eap {
(0) if (&reply:EAP-Message && &reply:Reply-Message)
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(0) else else {
(0) [noop] = noop
(0) } # else else = noop
(0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0) } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 48534, id=168, length=0
Sending Access-Reject Id 168 from 127.0.0.1:1812 to 127.0.0.1:48534
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 168 with timestamp +540
Ready to process requests
(desculpe sobre a saída longa). As linhas que me confundem são:
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <username>. Reason: Module is unknown
Se eu pesquisar o arquivo, retornarei:
[ ~]$ sudo find / -name "pam_google_authenticator.so"
/usr/local/lib/security/pam_google_authenticator.so
/home//google-authenticator-libpam/.libs/pam_google_authenticator.so
[ ~]$
e acredito que / usr / local / lib / security é o lugar certo, mas não posso comentar 100% sobre isso.
Alguém tem alguma idéia ou conselho onde eu possa procurar ou se eu estiver perdendo algo óbvio?
Obrigado.
Eu encontrei uma solução (ou melhor, alguém apontou o óbvio)
Alterou a linha em /etc/pam.d/radiusd de:
auth requisite pam_google_authenticator.so forward_pass
para
auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass
Isso, então, encontrou o módulo e funcionou corretamente.