Page 1 of 1

Log in problems when combining ssh-keys for local user and radius for other users.

Posted: Mon Jun 06, 2016 7:12 am
by n1els
We have a bunch (~100+) mikrotik routers in various external places with our clients that we are monitoring from our NOC.
Our NOC uses one WAN ip address to connect to these clients.
I have a RADIUS setup for the personal accounts of the NOC staff, but I am also running RANCID (configuration backup / diff service) that connects to all mikrotiks over ssh using a local account that exists on every mikrotik and is connected to a ssh certificate for passwordless login.

All this communication goes over 1 external IP address, so the source of all this traffic from the mikrotik's perspective is the same.

Radius authentication is configured like this: (taken from export command)
add address= comment="Radius login" secret=TheRadiusSecret service=login
/user aaa set default-group=full use-radius=yes is my fictious public IP address, the real one is of course valid.

Then I have configured a local user for rancid like this:
[n1els@clientXYZ] /user> export verbose
# jun/06/2016 04:01:58 by RouterOS 6.33.5
# software id = ABCDEF
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,!ftp,!write,!policy skin=default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,!ftp,!policy skin=default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api skin=default
add address="" comment="system default user" disabled=no group=full name=admin
add address="" comment="config backup user" disabled=no group=full name=rancid
/user aaa
set accounting=yes default-group=full exclude-groups="" interim-update=0s use-radius=yes
I have imported my from my linux box that runs rancid and connected it to the rancid user:
[n1els@clientXYZ] /user> ssh-keys print detail
Flags: R - RSA, D - DSA
 0 D user=rancid bits=1024 key-owner="rancid@linuxbox"
[n1els@clientXYZ] /user>
So rancid works fine, and I can also log in to winbox using my radius password which is all nice. But now I have discovered that I can log in using ssh without password with any valid radius account.

so if I try to run
ssh doesnotexist@clientXYZ
I am asked for a password, but if I use an existing radius account name like my own I am accepted without ever having to type my password.

Maybe I'm doing something wrong, but this should not be the case. The only user that should be allowed passwordless entry should be the local user, and only upon successful ssh/DSA certificate match, and not for any of the radius accounts. I don't even have to be on the same linux box to do this now.

Re: Log in problems when combining ssh-keys for local user and radius for other users.

Posted: Tue Jun 07, 2016 5:20 am
by n1els
Thanks for approving the topic, but it seems to be a problem with my freeradius and not with Mikrotik / routerOS
(discovered this while waiting for approval)

So this topic seems to be out of place here. If the mods feel that it's appropriate to close that's fine... I somehow managed to mess up freeradius in such a way that it does validate if I have a valid user account, but doesn't care if the password is correct.