pam_radius fail open?

Sean P. Malone smalone at udallas.edu
Fri Aug 19 22:15:14 GMT 2005 

Okay, I guess I’ll be the first to take Colin Percival up in that the 
following statement applies to me:

“If you find a security problem -- or even if you find something which 
might possibly be a security problem but you're not certain if it is or 
not -- then please let us know.”

I recently installed pam_radius according to the instructions located at 
the following address:

https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/PamRadius?shin=print.patern

The instructions were very helpful.

However, I’m not sure if I’ve mistakenly stumbled onto a fail open 
situation in that I’m fairly new to FreeBSD.  Namely, while configuring 
/etc/pam.conf to validate SSH login credentials via radius against our 
existing Active Directory, I mistakenly typed the line for ssh as follows:

ssh auth required pam_radius.so -update -/usr/local/etc/radius

mistakenly thinking that one specifies the protocol as opposed to the 
daemon.  Here is the result when I ssh in to the server from another host:

login as: smalone
Last login: Fri Aug 19 16:34:16 2005 from 10.3.20.101
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
         The Regents of the University of California.  All rights reserved.

FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Mar 25 20:58:42 CST 2005
$

The thing to note is that the system did not prompt me for a password. 
I got right in to a shell prompt.


Frightened, I then corrected the line to read:

sshd auth required pam_radius.so -update -/usr/local/etc/radius

and all worked as it should.  I could ssh into the system using my AD 
password and the log file on the IAS server recorded a successful radius 
auth from the host.

However, I then went back to the /etc/pam.conf file and commented out 
the ssh line all together resulting in a pam.conf that reads exactly as 
below:

$ cat /etc/pam.conf
#
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
#
# PAM configuration for the "sshd" service
#

# auth

#sshd auth required pam_radius.so -update -/usr/local/etc/radius
#auth           required        pam_nologin.so          no_warn
#auth           sufficient      pam_opie.so             no_warn 
no_fake_prompts
#auth           requisite       pam_opieaccess.so       no_warn allow_local
#auth           sufficient      pam_krb5.so             no_warn 
try_first_pass
#auth           sufficient      pam_ssh.so              no_warn 
try_first_pass
#auth           required        pam_unix.so             no_warn 
try_first_pass

# account
#account        required        pam_krb5.so
#account                required        pam_login_access.so
#account                required        pam_unix.so

# session
#session        optional        pam_ssh.so
#session                required        pam_permit.so

# password
#password       sufficient      pam_krb5.so             no_warn 
try_first_pass
#password       required        pam_unix.so             no_warn 
try_first_pass
$

Basically, it’s an empty file as far as pam_radius knows.

Then I tried once more to ssh in to the server and was, once again, let 
in without being prompted for a password.

Thus, would it not only require someone to merely know the name of one 
of your users (such as an email username on an email host) to get a shell?

Is this a fail open?

Regards,

Sean Malone

More information about the freebsd-security mailing list