Re: pam_radius fail open?

From: Scot Hetzel (swhetzel_at_gmail.com)
Date: 08/20/05

  • Next message: Stefan Bethke: "Re: pam_radius fail open?" 
    Date: Fri, 19 Aug 2005 17:32:37 -0500
To: smalone@udallas.edu

    On 8/19/05, Sean P. Malone <smalone@udallas.edu> wrote:
    > $ cat /etc/pam.conf
    > #
    > # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
    > #
    > # PAM configuration for the "sshd" service
    > #
    >
    > # auth
    >
    > #sshd auth required pam_radius.so -update -/usr/local/etc/radius
    > #auth required pam_nologin.so no_warn

    > Basically, it's an empty file as far as pam_radius knows.
    >

    I think you incorrectly configured your system, you should have edited
    the /etc/pam.d/sshd file and added the pam_radius in there as:

    auth required pam_radius.so -update -/usr/local/etc/radius

    When you created the /etc/pam.conf file, you told PAM to not look in
    the /etc/pam.d directory for config info for any of the services
    listed in /etc/pam.d. This caused it to not know how to authenticate
    any logins, which resulted in it allowing all logins.

    I believe this is also why you were able to log into your system with just a:

    ssh auth required pam_radius.so -update -/usr/local/etc/radius

    in your /etc/pam.conf, as there was no entry for sshd in pam.conf.

    Scot 

    -- 
DISCLAIMER:
No electrons were mamed while sending this message. Only slightly bruised.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
  • Next message: Stefan Bethke: "Re: pam_radius fail open?"

    Relevant Pages

    • Re: linux ssh security defaults
      ... should default for example to allow at first 30 logins within 10 ... Disabling password based auth and using public keys is fine for protecting hosts configured that way. ...
      (comp.security.ssh)
    • Re: pam_radius fail open?
      ... Am 20.08.2005 um 00:32 schrieb Scot Hetzel: ... >> # auth ... > any logins, which resulted in it allowing all logins. ... won't let me log in unless I enter a correct password. ...
      (FreeBSD-Security)