pam_radius fail open?
Stefan Bethke
stb at lassitu.de
Sat Aug 20 22:48:49 GMT 2005
Am 20.08.2005 um 00:32 schrieb Scot Hetzel:
> On 8/19/05, Sean P. Malone <smalone at udallas.edu> wrote:
>
>> $ cat /etc/pam.conf
>> #
>> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
>> #
>> # PAM configuration for the "sshd" service
>> #
>>
>> # auth
>>
>> #sshd auth required pam_radius.so -update -/usr/local/etc/radius
>> #auth required pam_nologin.so no_warn
>>
>
>
>> Basically, it's an empty file as far as pam_radius knows.
>>
>>
>
> I think you incorrectly configured your system, you should have edited
> the /etc/pam.d/sshd file and added the pam_radius in there as:
>
> auth required pam_radius.so -update -/usr/local/etc/radius
>
> When you created the /etc/pam.conf file, you told PAM to not look in
> the /etc/pam.d directory for config info for any of the services
> listed in /etc/pam.d. This caused it to not know how to authenticate
> any logins, which resulted in it allowing all logins.
I don't now what's wrong, but this explanation is not correct (on 6.0-
BETA2). The man page states that /etc/pam.d/* information is
consulted before /etc/pam.conf, and creating an empty /etc/pam.conf
won't let me log in unless I enter a correct password.
Mz experience with pam has been too confusing to add any real
insight. I'd hope that des@ would be able to comment properly...
Stefan
--
Stefan Bethke <stb at lassitu.de> Fon +49 170 346 0140
More information about the freebsd-security
mailing list