Re: pam_radius fail open?
From: Dag-Erling Smørgrav (des_at_des.no)
Date: 08/22/05
- Previous message: Stephen Major: "RE: Security warning with sshd"
- In reply to: Sean P. Malone: "pam_radius fail open?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: smalone@udallas.edu Date: Mon, 22 Aug 2005 14:23:59 +0200
"Sean P. Malone" <smalone@udallas.edu> writes:
> I recently installed pam_radius according to the instructions located
> at the following address:
>
> https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/PamRadius?shin=print.patern
why? 5.3 ships with pam_radius(8).
> However, I'm not sure if I've mistakenly stumbled onto a fail open
> situation in that I'm fairly new to FreeBSD. Namely, while
> configuring /etc/pam.conf to validate SSH login credentials via radius
> against our existing Active Directory, I mistakenly typed the line for
> ssh as follows: [...]
I am surprised that editing /etc/pam.conf had any effect at all, since
/etc/pam.d/sshd takes precedence. Are you running a clean 5.3
install, or did you upgrade from 4.x?
And yes, PAM does fail open when no configuration exists. You can
easily change that by creating /etc/pam.d/default with the following
contents:
auth required pam_deny.so
account required pam_deny.so
session required pam_deny.so
password requires pam_deny.so
or slightly less easily by adding the appropriate check around line
100 of src/contrib/openpam/lib/openpam_dispatch.c, like NetBSD did:
if (chain == NULL)
RETURNC(PAM_SYSTEM_ERR);
DES
-- Dag-Erling Smørgrav - des@des.no _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
- Previous message: Stephen Major: "RE: Security warning with sshd"
- In reply to: Sean P. Malone: "pam_radius fail open?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
