Freeradius authentification against active directory using MS_CHAP - freeradius

I'm trying to create an authentification using Freeradius 3 with the MS_CHAP authentification protocol. I set up my active directory. It works:
$ ntlm_auth --request-nt-key --username=admin --password=Qwerty01 --domain=DOMAIN.LOCAL
NT_STATUS_OK: The operation completed successfully. (0x0)
However, I can't authenticate using radtest:
$ radtest -t mschap admin Qwerty01 localhost 0 testing123
Sent Access-Request Id 232 from 0.0.0.0:51847 to 127.0.0.1:1812 length 131
User-Name = "admin"
MS-CHAP-Password = "Qwerty01"
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
Message-Authenticator = 0x00
Cleartext-Password = "Qwerty01"
MS-CHAP-Challenge = 0x044d30abb8866f26
MS-CHAP-Response = 0x0001000000000000000000000000000000000000000000000000803c721e5b12ff86836a1873e1c0f62d18e2c054b83c940f
Received Access-Reject Id 232 from 127.0.0.1:1812 to 127.0.0.1:51847 length 61
MS-CHAP-Error = "\000E=691 R=1 C=f25227a7f4150df5 V=2"
(0) -: Expected Access-Accept got Access-Reject
Here is my freeradius logs:
...
(1) authenticate {
(1) mschap: Client is using MS-CHAPv1 with NT-Password
(1) mschap: Executing: /bin/ntlm_auth --request-nt-key --allow-mschapv2 --username=%{mschap:User-Name:-None} --domain=%{%{mschap:NT-Domain}:-DOMAIN.LOCAL} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}:
(1) mschap: EXPAND --username=%{mschap:User-Name:-None}
(1) mschap: --> --username=admin
(1) mschap: ERROR: No NT-Domain was found in the User-Name
(1) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-DOMAIN.LOCAL}
(1) mschap: --> --domain=DOMAIN.LOCAL
(1) mschap: mschap1: 04
(1) mschap: EXPAND --challenge=%{mschap:Challenge:-00}
(1) mschap: --> --challenge=044d30abb8866f26
(1) mschap: EXPAND --nt-response=%{mschap:NT-Response:-00}
(1) mschap: --> --nt-response=803c721e5b12ff86836a1873e1c0f62d18e2c054b83c940f
(1) mschap: ERROR: Program returned code (1) and output 'Reading winbind reply failed! (0xc0000001)'
(1) mschap: ERROR: Reading winbind reply failed! (0xc0000001)
(1) mschap: Authentication failed
...

If you haven't already done so, you will need to grant permission to the /var/lib/samba/winbindd_privileged folder for your radius user. Example:
setfacl -m u:radiusd:rx winbindd_privileged

Related

GnuPG v2 store how to export the keys in. secring.gpg and pubring.gpg file from pubring.kbx file

I am trying to use the imported GPG keys in my workflow but it seems I could never export the private keys out of this.
I am using GitHub actions https://github.com/marketplace/actions/import-gpg to import private key and passphrase loaded them via secrets and per below output I could see the keys were imported good. I need to use this for signing my helm chart.
Run crazy-max/ghaction-import-gpg#v5
with:
gpg_private_key: ***
passphrase: ***
git_user_signingkey: true
git_commit_gpgsign: true
git_config_global: false
git_tag_gpgsign: false
git_push_gpgsign: if-asked
workdir: .
GnuPG info
Version : 2.2.27 (libgcrypt 1.9.4)
Libdir : /usr/lib/x86_64-linux-gnu/gnupg
Libexecdir : /usr/lib/gunning
Datadir : /usr/share/gnupg
Homedir : /home/runner/.gnupg
GPG private key info
Fingerprint : xxxxxxxxxxxxxxxxxxxx
KeyID : xxxxxxxxxxxxxxxxxxxx
Name : bot
Email : bot#example.com
CreationTime : Thu Jan 12 2023 05:56:57 GMT+0000 (Coordinated Universal Time)
Fingerprint to use
xxxxxxxxxxxxxxxxxxxx
Importing GPG private key
gpg: directory '/home/runner/.gnupg' created
gpg: keybox '/home/runner/.gnupg/pubring.kbx' created
gpg: /home/runner/.gnupg/trustdb.gpg: trustdb created
gpg: key xxxxxxxxxxxxxxxxxxxx: public key "bot <bot#example.com>" imported
gpg: key xxxxxxxxxxxxxxxxxxxx: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
Configuring GnuPG agent
Getting keygrips
Presetting passphrase for xxxxxxxxxxxxxxxxxxxx
Setting outputs
fingerprint=xxxxxxxxxxxxxxxxxxxx
keyid= xxxxxxxxxxxxxxxxxxxx
name=bot
email=bot#example.com
Setting GPG signing keyID for this Git repository
I could verify the new format file is there on filesystem , In next step I am trying to export these keys via commands
-rw-r--r-- 1 runner docker 70 Jan 18 00:50 gpg-agent.conf
drwx------ 2 runner docker 4096 Jan 18 00:50 private-keys-v1.d
-rw-r--r-- 1 runner docker 1347 Jan 18 00:50 pubring.kbx
-rw------- 1 runner docker 32 Jan 18 00:50 pubring.kbx~
-rw------- 1 runner docker 1200 Jan 18 00:50 trustdb.gpg
/home/runner/.gnupg/pubring.kbx
-------------------------------
sec rsa4096 2023-01-12 [SC] [expires: 2025-01-11]
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
uid [ unknown] bot <bot#example.com>
Now I am trying to export these keys and I could generate pubring.gpg but the moment I try to export secret key It gives error.
$ gpg --export >~/.gnupg/pubring.gpg -------------> Works
$ gpg --export-secret-keys >~/.gnupg/secring.gpg. --------> Doesn't work
gpg: key xxxxxxxxxxxxxx: error receiving key from agent: No such file or directory - skipped
gpg: WARNING: nothing exported
Error: Process completed with exit code 2.
I couldn't understand why secret key can't be imported out of pubring.kbx file.
Appreciate help.

docker login failed using https proxy

I am trying to login to docker repository using https proxy
i am getting error of
proxyconnect tcp: tls: first record does not look like a TLS handshake
when inspecting the proxy
openssl s_client -connect
CONNECTED(00000003)
139776809346960:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 289 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1646054120
Timeout : 300 (sec)
Verify return code: 0 (ok)
what can cause the issue?

FreeRADIUS issue - (0) No reply from server for ID 176 socket 3

Command radtest test testing1234294106 127.0.0.1 18120 testing123
below is the output getting
Sent Access-Request Id 176 from 0.0.0.0:56553 to 127.0.0.1:1812 length 90
User-Name = "test"
User-Password = "testing1234294106"
NAS-IP-Address = 127.0.1.1
NAS-Port = 18120
Message-Authenticator = 0x00
Cleartext-Password = "testing1234294106"
Sent Access-Request Id 176 from 0.0.0.0:56553 to 127.0.0.1:1812 length 90
User-Name = "test"
User-Password = "testing1234294106"
NAS-IP-Address = 127.0.1.1
NAS-Port = 18120
Message-Authenticator = 0x00
Cleartext-Password = "testing1234294106"
Sent Access-Request Id 176 from 0.0.0.0:56553 to 127.0.0.1:1812 length 90
User-Name = "test"
User-Password = "testing1234294106"
NAS-IP-Address = 127.0.1.1
NAS-Port = 18120
Message-Authenticator = 0x00
Cleartext-Password = "testing1234294106"
(0) No reply from server for ID 176 socket 3
No reply, is frustrating. So here are general steps to diagnose a No reply situation. At the end of this post, I point out the solution to the OP's original question.
Diagnosis Steps
If you get "No reply" from radtest, the first step is check the output of radiusd (which you need to have running in debug mode with cmd radiusd -X).
This will help you diagnose whether the request is being ignored or if the request isn't even making it to radiusd.
Radiusd Ignoring Request
In radiusd, if you see a message telling you that the request was "Ignored", read the reason for it being ignored and resolve the problem.
Radiusd With No Output
Alternatively, if radiusd -X doesn't show any output after attempting to connect, then most likely your request isn't even making it to the radiusd listener. This could happen if you're specifying an invalid ip address or port, or if a firewall is blocking the request, or if there's a routing problem.
NOTE: I noticed that some default configurations run the radius server auth port on 18120 instead of 1812. Double check the listener port number by checking the output of radiusd -X. The very end of the output should say "Listening for connections on..." followed by the IP Address and Port.
Solution to OP's problem
The Op's radtest command is incorrectly formatted. It says
radtest test testing1234294106 127.0.0.1 18120 testing123
The correct format is:
radtest test testing1234294106 127.0.0.1:18120 0 testing123
You can check this by running 'radtest --help'. The format for the ip port portion is "ip:port nas-port". In this case the nas-port can be 0.
You can also see, that since the port wasn't specified, the resulting request goes out on the default port 1812 (when it should have been 18120):
Sent Access-Request Id 176 from 0.0.0.0:56553 to 127.0.0.1:1812
I don't know why the out-of-box configuration for freeRadius uses 18120 for testing. But I think this throws a lot of people off. Especially since radtest syntax normally reads: ip:18120 0 (note the separated 0s).

Fail2ban - creating second sshd-jail for docker-container log does not work

I have a Linux box on Ubuntu 18.04.3 and have a working fail2ban configuration (like on all my hosts).
In this case I setup a docker-container which acts as a sftp-server for several users - the docker-container has a running rsyslogd and writes login events to /var/log/auth.log - /var/log is mounted to the host-system to /myapp/log/sftp.
So I created a second sshd-jail with this config snippet in jail.local
[myapp-sftp]
filter=sshd
enabled = true
findtime = 1200
maxretry = 2
mode = aggressive
backend = polling
logpath=/myapp/log/sftp/auth.log
The logfile /myapp/log/sftp/auth.log is absolutely there and filled with a lot of failed login tries - from myself and others.
But the jail never gets triggered with a found log entry in fail2ban.log.
I already reset the fail2ban database ... and have no clue what might be wrong.
I tried backend = polling and the default pyinotify.
Checking with fail2ban-regex says that it matches..
# fail2ban-regex /myapp/log/sftp/auth.log /etc/fail2ban/filter.d/sshd.conf
Running tests
=============
Use failregex filter file : sshd, basedir: /etc/fail2ban
Use maxlines : 1
Use datepattern : Default Detectors
Use log file : /myapp/log/sftp/auth.log
Use encoding : UTF-8
Results
=======
Failregex: 268 total
|- #) [# of hits] regular expression
| 3) [64] ^Failed \S+ for invalid user <F-USER>(?P<cond_user>\S+)|(?:(?! from ).)*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
| 4) [29] ^Failed \b(?!publickey)\S+ for (?P<cond_inv>invalid user )?<F-USER>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?(?: ssh\d*)?(?(cond_user): |(?:(?:(?! from ).)*)$)
| 6) [64] ^[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>(?: port \d+)?(?: on \S+(?: port \d+)?)?\s*$
| 21) [111] ^<F-NOFAIL>Connection from</F-NOFAIL> <HOST>
`-
Ignoreregex: 0 total
Date template hits:
|- [# of hits] date format
| [642] {^LN-BEG}(?:DAY )?MON Day %k:Minute:Second(?:\.Microseconds)?(?: ExYear)?
`-
Lines: 642 lines, 0 ignored, 268 matched, 374 missed
[processed in 0.13 sec]
Missed line(s): too many to print. Use --print-all-missed to print all 374 lines
and
# fail2ban-client status myapp-sftp
Status for the jail: myapp-sftp
|- Filter
| |- Currently failed: 0
| |- Total failed: 0
| `- File list: /myapp/log/sftp/auth.log
`- Actions
|- Currently banned: 0
|- Total banned: 0
`- Banned IP list:
# cat /var/log/fail2ban.log | grep myapp
2019-08-21 10:35:33,647 fail2ban.jail [649]: INFO Creating new jail 'wippex-sftp'
2019-08-21 10:35:33,647 fail2ban.jail [649]: INFO Jail 'myapp-sftp' uses pyinotify {}
2019-08-21 10:35:33,664 fail2ban.server [649]: INFO Jail myapp-sftp is not a JournalFilter instance
2019-08-21 10:35:33,665 fail2ban.filter [649]: INFO Added logfile: '/wippex/log/sftp.log' (pos = 0, hash = 287d8cc2e307c5f427aa87c4c649ced889d6bf6a)
2019-08-21 10:35:33,689 fail2ban.jail [649]: INFO Jail 'myapp-sftp' started
I really never get an expected found entry... nor a ban.
Any ideas are welcome.
# fail2ban-server -V
Fail2Ban v0.10.2
Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban Contributors
Copyright of modifications held by their respective authors.
log sample from /myapp/log/sftp/auth.log
Aug 21 14:03:13 a9ede63166d9 sshd[202]: Failed password for invalid user mapp from 95.85.16.178 port 41766 ssh2
Aug 21 14:03:13 a9ede63166d9 sshd[202]: Received disconnect from 95.85.16.178 port 41766:11: Normal Shutdown, Thank you for playing [preauth]
Aug 21 14:03:13 a9ede63166d9 sshd[202]: Disconnected from 95.85.16.178 port 41766 [preauth]
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Connection from 95.85.16.178 port 34722 on 172.17.0.3 port 22
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Invalid user mapp from 95.85.16.178 port 34722
Aug 21 14:03:49 a9ede63166d9 sshd[204]: input_userauth_request: invalid user mapp [preauth]
Aug 21 14:03:49 a9ede63166d9 sshd[204]: error: Could not get shadow information for NOUSER
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Failed password for invalid user mapp from 95.85.16.178 port 34722 ssh2
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Received disconnect from 95.85.16.178 port 34722:11: Normal Shutdown, Thank you for playing [preauth]
Aug 21 14:03:49 a9ede63166d9 sshd[204]: Disconnected from 95.85.16.178 port 34722 [preauth]
Problem is "solved". The docker container simply used a different timezone than the host and the logfile timestamps didnt contain the timezone.
So fail2ban assumed the timestamps were written in the same timezone as it´s running environment (on host) and didn´t interprete "old" log entries (2 hr. diff).
See https://github.com/fail2ban/fail2ban/issues/2486
I simply set the host timezone to UTC now - but will try now to set rsyncd to use a timezoned dateformat

Squid radius authentication "No response from RADIUS server"

I have successfully configure freeradius with mysql.
i can radtest using command :
sudo radtest alice password 192.168.2.3 1812 testing123
Sending Access-Request of id 187 to 192.168.2.3 port 1812
User-Name = "alice"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.2.3 port 1812, id=187, length=20
Now i try squid using radius authentication.
i followed step by step from :
http://safesrv.net/setup-squid-and-freeradius-on-centos-5/#comment-1043
But i got error message log on cache.log
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
Warning: Received invalid reply digest from server
squid_rad_auth: No response from RADIUS server
On radius -X debug there is error message like bellow :
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 192.168.2.3 port 42003, id=2, length=63
Sending duplicate reply to client localprivate port 42003 – ID: 2
Sending Access-Reject of id 2 to 192.168.2.3 port 42003
Waking up in 0.9 seconds.
Found Auth-Type = PAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group PAP {…}
[pap] login attempt with password “b9?I? +�(�Ч�Y�?”
[pap] Using clear text password “password”
[pap] Passwords don’t match
++[pap] returns reject
Failed to authenticate the user.
WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!
Using Post-Auth-Type REJECT
What is that error ? How i can solve this
Thanks
Snoop your generated Accessreq and try to decode the encrypted password using your shared secret with wireshark. Looks like your test client doesnt encode the password correct.
Make sure testing123 is correctly configured on server side.

Resources