pam_radius fail open?

Sean P. Malone smalone at
Fri Aug 19 22:15:14 GMT 2005

Okay, I guess I’ll be the first to take Colin Percival up in that the 
following statement applies to me:

“If you find a security problem -- or even if you find something which 
might possibly be a security problem but you're not certain if it is or 
not -- then please let us know.”

I recently installed pam_radius according to the instructions located at 
the following address:

The instructions were very helpful.

However, I’m not sure if I’ve mistakenly stumbled onto a fail open 
situation in that I’m fairly new to FreeBSD.  Namely, while configuring 
/etc/pam.conf to validate SSH login credentials via radius against our 
existing Active Directory, I mistakenly typed the line for ssh as follows:

ssh auth required -update -/usr/local/etc/radius

mistakenly thinking that one specifies the protocol as opposed to the 
daemon.  Here is the result when I ssh in to the server from another host:

login as: smalone
Last login: Fri Aug 19 16:34:16 2005 from
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
         The Regents of the University of California.  All rights reserved.

FreeBSD 5.3-RELEASE (GENERIC) #0: Fri Mar 25 20:58:42 CST 2005

The thing to note is that the system did not prompt me for a password. 
I got right in to a shell prompt.

Frightened, I then corrected the line to read:

sshd auth required -update -/usr/local/etc/radius

and all worked as it should.  I could ssh into the system using my AD 
password and the log file on the IAS server recorded a successful radius 
auth from the host.

However, I then went back to the /etc/pam.conf file and commented out 
the ssh line all together resulting in a pam.conf that reads exactly as 

$ cat /etc/pam.conf
# $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
# PAM configuration for the "sshd" service

# auth

#sshd auth required -update -/usr/local/etc/radius
#auth           required          no_warn
#auth           sufficient             no_warn 
#auth           requisite       no_warn allow_local
#auth           sufficient             no_warn 
#auth           sufficient              no_warn 
#auth           required             no_warn 

# account
#account        required
#account                required
#account                required

# session
#session        optional
#session                required

# password
#password       sufficient             no_warn 
#password       required             no_warn 

Basically, it’s an empty file as far as pam_radius knows.

Then I tried once more to ssh in to the server and was, once again, let 
in without being prompted for a password.

Thus, would it not only require someone to merely know the name of one 
of your users (such as an email username on an email host) to get a shell?

Is this a fail open?


Sean Malone

More information about the freebsd-security mailing list