pam_radius fail open?
Dag-Erling Smørgrav
des at des.no
Mon Aug 22 12:24:10 GMT 2005
"Sean P. Malone" <smalone at udallas.edu> writes:
> I recently installed pam_radius according to the instructions located
> at the following address:
>
> https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/PamRadius?shin=print.patern
why? 5.3 ships with pam_radius(8).
> However, I'm not sure if I've mistakenly stumbled onto a fail open
> situation in that I'm fairly new to FreeBSD. Namely, while
> configuring /etc/pam.conf to validate SSH login credentials via radius
> against our existing Active Directory, I mistakenly typed the line for
> ssh as follows: [...]
I am surprised that editing /etc/pam.conf had any effect at all, since
/etc/pam.d/sshd takes precedence. Are you running a clean 5.3
install, or did you upgrade from 4.x?
And yes, PAM does fail open when no configuration exists. You can
easily change that by creating /etc/pam.d/default with the following
contents:
auth required pam_deny.so
account required pam_deny.so
session required pam_deny.so
password requires pam_deny.so
or slightly less easily by adding the appropriate check around line
100 of src/contrib/openpam/lib/openpam_dispatch.c, like NetBSD did:
if (chain == NULL)
RETURNC(PAM_SYSTEM_ERR);
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-security
mailing list