Google Authenticator FreeRADIUS

我正在尝试在RHEL7的FreeRADIUS中实现google authenticator PAM模块。

我松散地遵循了这个指南： http : //www.supertechguy.com/help/security/freeradius-google-auth

我之所以说松散的原因是最近Google模块的内容似乎已经发生了变化，所以我通过执行以下步骤来构build它：

sudo yum -y install freeradius freeradius-utils git gcc pam-devel qrencode qrencode-libs qrencode-devel git autoconf automake libtool freeradius-mysql git clone https://github.com/google/google-authenticator-libpam Cd google-authenticator-libpam sudo ./bootstrap.sh ./configure make sudo make install 

这一切工作正常。 然后我使用指南configuration了configuration文件。 我的/etc/pam.d/radiusd文件如下所示：

• 使用mikrotik和“always”模块在freeradius中进行会计设置
• 允许单个VPN用户使用多个IP地址
• FreeRadius服务器：最大连接用户的RadGroupReply属性？
• FreeRadius无法获得新的openssl版本
• FreeRADIUS和Redis模块

 #%PAM-1.0 #auth include password-auth #account required pam_nologin.so #account include password-auth #password include password-auth #session include password-auth auth requisite pam_google_authenticator.so forward_pass #auth required pam_unix.so use_first_pass account required pam_permit.so session required pam_permit.so 

一切运行正常，但当我试图testing它，我每次都被拒绝。 我已经跑半径-X，并尝试连接时得到以下输出：

  Received Access-Request Id 168 from 127.0.0.1:48534 to 127.0.0.1:1812 length 77 User-Name = 'username' User-Password = 'Password' NAS-IP-Address = 10.133.16.125 NAS-Port = 18120 Message-Authenticator = 0x7ba3ce64279bce1f09a978dd7204ec3f (0) Received Access-Request packet from host 127.0.0.1 port 48534, id=168, length=77 (0) User-Name = 'username' (0) User-Password = 'Password' (0) NAS-IP-Address = 10.133.16.125 (0) NAS-Port = 18120 (0) Message-Authenticator = 0x7ba3ce64279bce1f09a978dd7204ec3f (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : No '@' in User-Name = "username", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop (0) files : users: Matched entry DEFAULT at line 187 (0) [files] = ok rlm_sql (sql): Reserved connection (4) (0) sql : User not found in any groups rlm_sql (sql): Released connection (4) rlm_sql (sql): Closing connection (0), from 1 unused connections rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 540 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 540 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 540 seconds rlm_sql (sql): You probably need to lower "min" (0) [sql] = notfound (0) [expiration] = noop (0) [logintime] = noop (0) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (0) WARNING: pap : Authentication will fail unless a "known good" password is available (0) [pap] = noop (0) } # authorize = ok (0) Found Auth-Type = PAM (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { pam_pass: using pamauth string <radiusd> for pam.conf lookup pam_pass: function pam_authenticate FAILED for <username>. Reason: Module is unknown (0) [pam] = reject (0) } # authenticate = reject (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) [sql] = noop (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> username (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request didn't contain an EAP-Message, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 127.0.0.1 port 48534, id=168, length=0 Sending Access-Reject Id 168 from 127.0.0.1:1812 to 127.0.0.1:48534 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 168 with timestamp +540 Ready to process requests 

（对于长输出抱歉）。 迷惑我的是：

 pam_pass: using pamauth string <radiusd> for pam.conf lookup pam_pass: function pam_authenticate FAILED for <username>. Reason: Module is unknown 

如果我search我得到的文件：

 [ ~]$ sudo find / -name "pam_google_authenticator.so" /usr/local/lib/security/pam_google_authenticator.so /home//google-authenticator-libpam/.libs/pam_google_authenticator.so [ ~]$ 

我相信/ usr / local / lib / security是正确的地方，但我不能100％的评论。

任何人有任何想法或build议，我可以看下，或者如果我失去了明显的东西？

谢谢。

 auth requisite pam_google_authenticator.so forward_pass 

 auth requisite /usr/local/lib/security/pam_google_authenticator.so forward_pass