Google 身份验证器 FreeRADIUS

Google 身份验证器 FreeRADIUS

我正在尝试在 RHEL7 上的 FreeRADIUS 中实现 google 身份验证器 PAM 模块。

我大致遵循了以下指南:http://www.supertechguy.com/help/security/freeradius-google-auth

我之所以这么说,是因为谷歌模块最近似乎发生了一些变化,所以我通过执行以下操作来构建它:

sudo yum -y install freeradius freeradius-utils git gcc pam-devel qrencode qrencode-libs qrencode-devel git autoconf automake libtool freeradius-mysql
git clone https://github.com/google/google-authenticator-libpam
Cd google-authenticator-libpam
sudo ./bootstrap.sh
./configure
make
sudo make install

一切正常。然后我使用指南配置了配置文件。我的 /etc/pam.d/radiusd 文件如下所示:

#%PAM-1.0
#auth       include     password-auth
#account    required    pam_nologin.so
#account    include     password-auth
#password   include     password-auth
#session    include     password-auth
auth requisite pam_google_authenticator.so forward_pass
#auth required pam_unix.so use_first_pass
account required pam_permit.so
session required pam_permit.so

一切运行正常,但每次我尝试测试时都会被拒绝。我运行了 radiusd -X,并在尝试连接时得到以下输出:

    Received Access-Request Id 168 from 127.0.0.1:48534 to 127.0.0.1:1812 length 77
        User-Name = 'username'
        User-Password = 'Password'
        NAS-IP-Address = 10.133.16.125
        NAS-Port = 18120
        Message-Authenticator = 0x7ba3ce64279bce1f09a978dd7204ec3f
(0) Received Access-Request packet from host 127.0.0.1 port 48534, id=168, length=77
(0)     User-Name = 'username'
(0)     User-Password = 'Password'
(0)     NAS-IP-Address = 10.133.16.125
(0)     NAS-Port = 18120
(0)     Message-Authenticator = 0x7ba3ce64279bce1f09a978dd7204ec3f
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)   filter_username filter_username {
(0)     if (!&User-Name)
(0)     if (!&User-Name)  -> FALSE
(0)     if (&User-Name =~ / /)
(0)     if (&User-Name =~ / /)  -> FALSE
(0)     if (&User-Name =~ /@.*@/ )
(0)     if (&User-Name =~ /@.*@/ )  -> FALSE
(0)     if (&User-Name =~ /\\.\\./ )
(0)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(0)     if (&User-Name =~ /\\.$/)
(0)     if (&User-Name =~ /\\.$/)   -> FALSE
(0)     if (&User-Name =~ /@\\./)
(0)     if (&User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0)  suffix : Checking for suffix after "@"
(0)  suffix : No '@' in User-Name = "username", looking up realm NULL
(0)  suffix : No such realm "NULL"
(0)   [suffix] = noop
(0)  eap : No EAP-Message, not doing EAP
(0)   [eap] = noop
(0)  files : users: Matched entry DEFAULT at line 187
(0)   [files] = ok
rlm_sql (sql): Reserved connection (4)
(0)  sql : User not found in any groups
rlm_sql (sql): Released connection (4)
rlm_sql (sql): Closing connection (0), from 1 unused connections
rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 540 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 540 seconds
rlm_sql (sql): You probably need to lower "min"
rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 540 seconds
rlm_sql (sql): You probably need to lower "min"
(0)   [sql] = notfound
(0)   [expiration] = noop
(0)   [logintime] = noop
(0)  WARNING: pap : No "known good" password found for the user.  Not setting Auth-Type
(0)  WARNING: pap : Authentication will fail unless a "known good" password is available
(0)   [pap] = noop
(0)  } #  authorize = ok
(0) Found Auth-Type = PAM
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <username>. Reason: Module is unknown
(0)   [pam] = reject
(0)  } #  authenticate = reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)  Post-Auth-Type REJECT {
(0)   [sql] = noop
(0)  attr_filter.access_reject : EXPAND %{User-Name}
(0)  attr_filter.access_reject :    --> username
(0)  attr_filter.access_reject : Matched entry DEFAULT at line 11
(0)   [attr_filter.access_reject] = updated
(0)  eap : Request didn't contain an EAP-Message, not inserting EAP-Failure
(0)   [eap] = noop
(0)   remove_reply_message_if_eap remove_reply_message_if_eap {
(0)     if (&reply:EAP-Message && &reply:Reply-Message)
(0)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)    else else {
(0)     [noop] = noop
(0)    } # else else = noop
(0)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(0)  } # Post-Auth-Type REJECT = updated
(0) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(0) Sending delayed response
(0) Sending Access-Reject packet to host 127.0.0.1 port 48534, id=168, length=0
Sending Access-Reject Id 168 from 127.0.0.1:1812 to 127.0.0.1:48534
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 168 with timestamp +540
Ready to process requests

(抱歉输出太长)。让我困惑的是:

pam_pass: using pamauth string <radiusd> for pam.conf lookup
pam_pass: function pam_authenticate FAILED for <username>. Reason: Module is unknown 

如果我搜索该文件,我会返回:

[ ~]$ sudo find / -name "pam_google_authenticator.so"
/usr/local/lib/security/pam_google_authenticator.so
/home//google-authenticator-libpam/.libs/pam_google_authenticator.so
[ ~]$

我相信 /usr/local/lib/security 是正确的位置,但我无法对此做出 100% 的评论。

有人对我下一步该看什么或我是否遗漏了一些明显的内容有什么想法或建议吗?

谢谢。

答案1

我找到了一个解决方案(或者更确切地说,有人指出了显而易见的问题)

将 /etc/pam.d/radiusd 中的行从:

auth requisite pam_google_authenticator.so forward_pass

auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass

然后它找到了模块并正常工作。

相关内容