pam_radius fail open?

From: Sean P. Malone (
Date: 08/20/05

  • Next message: Scot Hetzel: "Re: pam_radius fail open?"
    Date: Fri, 19 Aug 2005 17:15:11 -0500
    To: FreeBSD Security <>

    Okay, I guess Iíll be the first to take Colin Percival up in that the
    following statement applies to me:

    ďIf you find a security problem -- or even if you find something which
    might possibly be a security problem but you're not certain if it is or
    not -- then please let us know.Ē

    I recently installed pam_radius according to the instructions located at
    the following address:

    The instructions were very helpful.

    However, Iím not sure if Iíve mistakenly stumbled onto a fail open
    situation in that Iím fairly new to FreeBSD. Namely, while configuring
    /etc/pam.conf to validate SSH login credentials via radius against our
    existing Active Directory, I mistakenly typed the line for ssh as follows:

    ssh auth required -update -/usr/local/etc/radius

    mistakenly thinking that one specifies the protocol as opposed to the
    daemon. Here is the result when I ssh in to the server from another host:

    login as: smalone
    Last login: Fri Aug 19 16:34:16 2005 from
    Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
             The Regents of the University of California. All rights reserved.

    FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Mar 25 20:58:42 CST 2005

    The thing to note is that the system did not prompt me for a password.
    I got right in to a shell prompt.

    Frightened, I then corrected the line to read:

    sshd auth required -update -/usr/local/etc/radius

    and all worked as it should. I could ssh into the system using my AD
    password and the log file on the IAS server recorded a successful radius
    auth from the host.

    However, I then went back to the /etc/pam.conf file and commented out
    the ssh line all together resulting in a pam.conf that reads exactly as

    $ cat /etc/pam.conf
    # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
    # PAM configuration for the "sshd" service

    # auth

    #sshd auth required -update -/usr/local/etc/radius
    #auth required no_warn
    #auth sufficient no_warn
    #auth requisite no_warn allow_local
    #auth sufficient no_warn
    #auth sufficient no_warn
    #auth required no_warn

    # account
    #account required
    #account required
    #account required

    # session
    #session optional
    #session required

    # password
    #password sufficient no_warn
    #password required no_warn

    Basically, itís an empty file as far as pam_radius knows.

    Then I tried once more to ssh in to the server and was, once again, let
    in without being prompted for a password.

    Thus, would it not only require someone to merely know the name of one
    of your users (such as an email username on an email host) to get a shell?

    Is this a fail open?


    Sean Malone
    _______________________________________________ mailing list
    To unsubscribe, send any mail to ""

  • Next message: Scot Hetzel: "Re: pam_radius fail open?"

    Relevant Pages

    • Re: Unix accounts at Universities
      ... > Another Q I have is that when I try to ssh to another ... > but the prompt indicates that I am in the same host... ... do you get logged into host2 or not? ... I'm a bit surprised by the %-sign prompt. ...
    • Getting rid of return message in ssh
      ... I need to be able to go from one host to another via ssh and not get back ... any message other than the prompt for the second machine. ...
    • Re: Attacks on ssh port
      ... >>Is there a security problem with ssh that I've missed??? ... >>they're back and keep clogging my logs. ... in this particular case these records are clogging my login error ...
    • Re: prompt or not prompt for the password depending on the user
      ... # ssh powah@server ... no prompt for password ... This is host based authentication. ...
    • Re: Attacks on ssh port
      ... > Is there a security problem with ssh that I've missed??? ... > Ik keep getting these hords of: ... not a ssh related problem, it's just a brute force attack, I'm ...