bin/124320: Login with ssh using pam_radius and a template_user
Jacco van Buuren
jaccovb at xs4all.nl
Thu Jun 5 20:00:15 UTC 2008
>Number: 124320
>Category: bin
>Synopsis: Login with ssh using pam_radius and a template_user
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 05 20:00:12 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Jacco van Buuren
>Release: FreeBSD 6.2
>Organization:
-
>Environment:
FreeBSD phatman 6.2-STABLE FreeBSD 6.2-STABLE #0: Fri Oct 5 19:22:33 CEST 2007 root at brahman:/usr/obj/usr/src/sys/BRAHMAN i386
>Description:
PAM_RADIUS doesn't work with a TEMPLATE_USER for remote logins with SSHD.
The situation is as follows:
A radius authorization backend system, server A, has user ALICE, with a password, and user BOB, with a password.
Another server, server B, is using PAM_RADIUS for radius authentication on SSHD for remote logins. While attempting to figure out how pam_radius works on server B, pam (/etc/pam.d/sshd) is configured like this:
auth sufficient pam_radius.so try_first_pass template_user=bob debug
account sufficient pam_radius.so template_user=bob debug
password sufficient pam_radius.so try_first_pass template_user=bob debug
On server B, Bob has a plain vanilla Unix account in /etc/passwd, with an existing shell and homedirectory. When using the pam config shown above, Bob is asked for his radius password from server A (as expected) when he tries to login
with ssh. This works perfectly Ok for Bob: Radius authentication is working on server B when using ssh to login - in this case regardless of his password. So far so good.
Since Bob has special privileges on server B, his account will be the template for a small group of other users, effectively sharing the bob-account - not Bobs' password - with others.
Template_user should provide for this, from the pam_radius man-page:
[..]"template_user=username
specifies a user whose passwd(5) entry will be used as a tem- plate
to create the session environment if the supplied user- name does not exist in local password database. The user will be authenticated with the supplied username and pass- word, but his credentials to the system will be presented as the ones for username, i.e., his login class, home directory, resource limits, etc. will be set to ones defined for username.
If this option is omitted, and there is no username in the system databases equal to the supplied one (as determined by call to getpwnam(3)), the authentication will fail."[..]
As pam is configured with 'template_user=bob', it would be expected that user 'alice' - an account that doesn't exist on server B in /etc/passwd - should be able to login with ssh since Bob can login... Oddly enough, logging in ONLY
works for user 'alice' when the account exists in /etc/passwd on server B. Which
would still require all the accounts being present on server B, and thus defeating the purpose of a template_user. It seems that template_user has no
effect, no matter which password (alice/bob) is used. Sshd is actually complaining about pam: "fatal: Internal error: PAM auth succeeded when it should have failed".
>From what I've googled it seems that this topic is returning every now and then,
without any clear solution. Some do indeed point to OpenSSH
(http://www.usenet-forums.com/openssh-development/336942-sshd-pam_radius-under-freebsd.html#post706102).
I haven't tested this with telnetd or others. To put it another way: I've found no document that explains why a pam_radius template_user shouldn't work with sshd.
>How-To-Repeat:
Configure a radius server (Freeradius or so) and very it's working properly. Configure a radius cleint on another system (radius.conf). Then configure /etc/pam.d/sshd to make use of the template_user feature.
>Fix:
-
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list