pam_radius fail open?

From: Sean P. Malone (smalone_at_udallas.edu)
Date: 08/20/05

  • Next message: Scot Hetzel: "Re: pam_radius fail open?"
    Date: Fri, 19 Aug 2005 17:15:11 -0500
    To: FreeBSD Security <freebsd-security@freebsd.org>
    
    

    Okay, I guess Iíll be the first to take Colin Percival up in that the
    following statement applies to me:

    ďIf you find a security problem -- or even if you find something which
    might possibly be a security problem but you're not certain if it is or
    not -- then please let us know.Ē

    I recently installed pam_radius according to the instructions located at
    the following address:

    https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/PamRadius?shin=print.patern

    The instructions were very helpful.

    However, Iím not sure if Iíve mistakenly stumbled onto a fail open
    situation in that Iím fairly new to FreeBSD. Namely, while configuring
    /etc/pam.conf to validate SSH login credentials via radius against our
    existing Active Directory, I mistakenly typed the line for ssh as follows:

    ssh auth required pam_radius.so -update -/usr/local/etc/radius

    mistakenly thinking that one specifies the protocol as opposed to the
    daemon. Here is the result when I ssh in to the server from another host:

    login as: smalone
    Last login: Fri Aug 19 16:34:16 2005 from 10.3.20.101
    Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
             The Regents of the University of California. All rights reserved.

    FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Mar 25 20:58:42 CST 2005
    $

    The thing to note is that the system did not prompt me for a password.
    I got right in to a shell prompt.

    Frightened, I then corrected the line to read:

    sshd auth required pam_radius.so -update -/usr/local/etc/radius

    and all worked as it should. I could ssh into the system using my AD
    password and the log file on the IAS server recorded a successful radius
    auth from the host.

    However, I then went back to the /etc/pam.conf file and commented out
    the ssh line all together resulting in a pam.conf that reads exactly as
    below:

    $ cat /etc/pam.conf
    #
    # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
    #
    # PAM configuration for the "sshd" service
    #

    # auth

    #sshd auth required pam_radius.so -update -/usr/local/etc/radius
    #auth required pam_nologin.so no_warn
    #auth sufficient pam_opie.so no_warn
    no_fake_prompts
    #auth requisite pam_opieaccess.so no_warn allow_local
    #auth sufficient pam_krb5.so no_warn
    try_first_pass
    #auth sufficient pam_ssh.so no_warn
    try_first_pass
    #auth required pam_unix.so no_warn
    try_first_pass

    # account
    #account required pam_krb5.so
    #account required pam_login_access.so
    #account required pam_unix.so

    # session
    #session optional pam_ssh.so
    #session required pam_permit.so

    # password
    #password sufficient pam_krb5.so no_warn
    try_first_pass
    #password required pam_unix.so no_warn
    try_first_pass
    $

    Basically, itís an empty file as far as pam_radius knows.

    Then I tried once more to ssh in to the server and was, once again, let
    in without being prompted for a password.

    Thus, would it not only require someone to merely know the name of one
    of your users (such as an email username on an email host) to get a shell?

    Is this a fail open?

    Regards,

    Sean Malone
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Scot Hetzel: "Re: pam_radius fail open?"

    Relevant Pages

    • Re: Unix accounts at Universities
      ... > Another Q I have is that when I try to ssh to another ... > but the prompt indicates that I am in the same host... ... do you get logged into host2 or not? ... I'm a bit surprised by the %-sign prompt. ...
      (comp.security.unix)
    • Getting rid of return message in ssh
      ... I need to be able to go from one host to another via ssh and not get back ... any message other than the prompt for the second machine. ...
      (RedHat)
    • Re: Attacks on ssh port
      ... >>Is there a security problem with ssh that I've missed??? ... >>they're back and keep clogging my logs. ... in this particular case these records are clogging my login error ...
      (FreeBSD-Security)
    • Re: prompt or not prompt for the password depending on the user
      ... # ssh powah@server ... no prompt for password ... This is host based authentication. ...
      (comp.security.ssh)
    • Re: Attacks on ssh port
      ... > Is there a security problem with ssh that I've missed??? ... > Ik keep getting these hords of: ... not a ssh related problem, it's just a brute force attack, I'm ...
      (FreeBSD-Security)