pam_radius fail open?
Scot Hetzel
swhetzel at gmail.com
Fri Aug 19 22:32:39 GMT 2005
On 8/19/05, Sean P. Malone <smalone at udallas.edu> wrote:
> $ cat /etc/pam.conf
> #
> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
> #
> # PAM configuration for the "sshd" service
> #
>
> # auth
>
> #sshd auth required pam_radius.so -update -/usr/local/etc/radius
> #auth required pam_nologin.so no_warn
> Basically, it's an empty file as far as pam_radius knows.
>
I think you incorrectly configured your system, you should have edited
the /etc/pam.d/sshd file and added the pam_radius in there as:
auth required pam_radius.so -update -/usr/local/etc/radius
When you created the /etc/pam.conf file, you told PAM to not look in
the /etc/pam.d directory for config info for any of the services
listed in /etc/pam.d. This caused it to not know how to authenticate
any logins, which resulted in it allowing all logins.
I believe this is also why you were able to log into your system with just a:
ssh auth required pam_radius.so -update -/usr/local/etc/radius
in your /etc/pam.conf, as there was no entry for sshd in pam.conf.
Scot
--
DISCLAIMER:
No electrons were mamed while sending this message. Only slightly bruised.
More information about the freebsd-security
mailing list