Re: pam_radius fail open?
From: Stefan Bethke (stb_at_lassitu.de)
Date: Sun, 21 Aug 2005 00:47:54 +0200 To: Scot Hetzel <firstname.lastname@example.org>
Am 20.08.2005 um 00:32 schrieb Scot Hetzel:
> On 8/19/05, Sean P. Malone <email@example.com> wrote:
>> $ cat /etc/pam.conf
>> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
>> # PAM configuration for the "sshd" service
>> # auth
>> #sshd auth required pam_radius.so -update -/usr/local/etc/radius
>> #auth required pam_nologin.so no_warn
>> Basically, it's an empty file as far as pam_radius knows.
> I think you incorrectly configured your system, you should have edited
> the /etc/pam.d/sshd file and added the pam_radius in there as:
> auth required pam_radius.so -update -/usr/local/etc/radius
> When you created the /etc/pam.conf file, you told PAM to not look in
> the /etc/pam.d directory for config info for any of the services
> listed in /etc/pam.d. This caused it to not know how to authenticate
> any logins, which resulted in it allowing all logins.
I don't now what's wrong, but this explanation is not correct (on 6.0-
BETA2). The man page states that /etc/pam.d/* information is
consulted before /etc/pam.conf, and creating an empty /etc/pam.conf
won't let me log in unless I enter a correct password.
Mz experience with pam has been too confusing to add any real
insight. I'd hope that des@ would be able to comment properly...
-- Stefan Bethke <firstname.lastname@example.org> Fon +49 170 346 0140 _______________________________________________ email@example.com mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "firstname.lastname@example.org"