bin/66095: template_user is broken in pam_radius
Dan Mahoney
danm at prime.gushi.org
Thu Apr 29 14:10:07 PDT 2004
>Number: 66095
>Category: bin
>Synopsis: template_user is broken in pam_radius
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Apr 29 14:10:05 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator: Dan Mahoney
>Release: FreeBSD 4.6.2-RELEASE-p27 i386
>Organization:
>Environment:
System: FreeBSD s2.ezzi.net 4.6.2-RELEASE-p27 FreeBSD 4.6.2-RELEASE-p27 #0: Tue Apr 6 08:52:46 EDT 2004 danm at s2.ezzi.net:/usr/obj/usr/src/sys/GENERIC i386
>Description:
The pam_radius module's man page purports to be able to support a "template user", i.e. when a user not listed in the local
system attempts to authenticate when pam_radius is in effect, instead, the login credentials for "template_user" will be
presented.
FreeBSD seems to authorize against radius correctly when a local user exists, but when a non-local user tries to authenticate,
the request is NOT EVEN FORWARDED to the radius server. Auth simply fails.
>How-To-Repeat:
/etc/radius.conf:
auth 65.125.237.37 testing123
acct 65.125.237.37 testing123
/etc/pam.conf:
sshd auth sufficient pam_skey.so
sshd auth sufficient pam_opie.so no_fake_prompts
#sshd auth requisite pam_opieaccess.so
#sshd auth sufficient pam_kerberosIV.so try_first_pass
#sshd auth sufficient pam_krb5.so try_first_pass
sshd auth sufficient pam_radius.so try_first_pass template_user=danm
sshd auth required pam_unix.so try_first_pass
sshd account sufficient pam_radius.so try_first_pass template_user=danm
sshd account required pam_unix.so
sshd password required pam_permit.so
sshd session required pam_permit.so
try to log in as a user who is present on the radius server but not present on the local system.
>Fix:
None known.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list