Re: pam_radius fail open?

From: Stefan Bethke (stb_at_lassitu.de)
Date: 08/21/05

  • Next message: Pat Maddox: "Security warning with sshd"
    Date: Sun, 21 Aug 2005 00:47:54 +0200
    To: Scot Hetzel <swhetzel@gmail.com>
    
    

    Am 20.08.2005 um 00:32 schrieb Scot Hetzel:

    > On 8/19/05, Sean P. Malone <smalone@udallas.edu> wrote:
    >
    >> $ cat /etc/pam.conf
    >> #
    >> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
    >> #
    >> # PAM configuration for the "sshd" service
    >> #
    >>
    >> # auth
    >>
    >> #sshd auth required pam_radius.so -update -/usr/local/etc/radius
    >> #auth required pam_nologin.so no_warn
    >>
    >
    >
    >> Basically, it's an empty file as far as pam_radius knows.
    >>
    >>
    >
    > I think you incorrectly configured your system, you should have edited
    > the /etc/pam.d/sshd file and added the pam_radius in there as:
    >
    > auth required pam_radius.so -update -/usr/local/etc/radius
    >
    > When you created the /etc/pam.conf file, you told PAM to not look in
    > the /etc/pam.d directory for config info for any of the services
    > listed in /etc/pam.d. This caused it to not know how to authenticate
    > any logins, which resulted in it allowing all logins.

    I don't now what's wrong, but this explanation is not correct (on 6.0-
    BETA2). The man page states that /etc/pam.d/* information is
    consulted before /etc/pam.conf, and creating an empty /etc/pam.conf
    won't let me log in unless I enter a correct password.

    Mz experience with pam has been too confusing to add any real
    insight. I'd hope that des@ would be able to comment properly...

    Stefan

    -- 
    Stefan Bethke <stb@lassitu.de>   Fon +49 170 346 0140
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
    

  • Next message: Pat Maddox: "Security warning with sshd"

    Relevant Pages

    • Re: nss_ldap SSL/TLS problems..
      ... I installed all of the latest versions of openldap24-server, ... When I log in as the same user and give only the correct password the ... logins do not have groups initialized, but SSH key logins and /bin/login ... the rest of our 7.0 installations. ...
      (freebsd-questions)
    • Re: pam_radius fail open?
      ... Sean P. Malone wrote: ... > # auth ... any logins, which resulted in it allowing all logins. ...
      (FreeBSD-Security)
    • Re: linux ssh security defaults
      ... should default for example to allow at first 30 logins within 10 ... Disabling password based auth and using public keys is fine for protecting hosts configured that way. ...
      (comp.security.ssh)