pam_radius fail open?
Sean P. Malone
smalone at udallas.edu
Fri Aug 19 22:15:14 GMT 2005
Okay, I guess I’ll be the first to take Colin Percival up in that the
following statement applies to me:
“If you find a security problem -- or even if you find something which
might possibly be a security problem but you're not certain if it is or
not -- then please let us know.”
I recently installed pam_radius according to the instructions located at
the following address:
The instructions were very helpful.
However, I’m not sure if I’ve mistakenly stumbled onto a fail open
situation in that I’m fairly new to FreeBSD. Namely, while configuring
/etc/pam.conf to validate SSH login credentials via radius against our
existing Active Directory, I mistakenly typed the line for ssh as follows:
ssh auth required pam_radius.so -update -/usr/local/etc/radius
mistakenly thinking that one specifies the protocol as opposed to the
daemon. Here is the result when I ssh in to the server from another host:
login as: smalone
Last login: Fri Aug 19 16:34:16 2005 from 10.3.20.101
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Mar 25 20:58:42 CST 2005
The thing to note is that the system did not prompt me for a password.
I got right in to a shell prompt.
Frightened, I then corrected the line to read:
sshd auth required pam_radius.so -update -/usr/local/etc/radius
and all worked as it should. I could ssh into the system using my AD
password and the log file on the IAS server recorded a successful radius
auth from the host.
However, I then went back to the /etc/pam.conf file and commented out
the ssh line all together resulting in a pam.conf that reads exactly as
$ cat /etc/pam.conf
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
# PAM configuration for the "sshd" service
#sshd auth required pam_radius.so -update -/usr/local/etc/radius
#auth required pam_nologin.so no_warn
#auth sufficient pam_opie.so no_warn
#auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
#auth sufficient pam_ssh.so no_warn
#auth required pam_unix.so no_warn
#account required pam_krb5.so
#account required pam_login_access.so
#account required pam_unix.so
#session optional pam_ssh.so
#session required pam_permit.so
#password sufficient pam_krb5.so no_warn
#password required pam_unix.so no_warn
Basically, it’s an empty file as far as pam_radius knows.
Then I tried once more to ssh in to the server and was, once again, let
in without being prompted for a password.
Thus, would it not only require someone to merely know the name of one
of your users (such as an email username on an email host) to get a shell?
Is this a fail open?
More information about the freebsd-security