Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 19 Oct 2000 12:07:43 -0400
From:      Erik Fichtner <emf@servervault.com>
To:        freebsd-questions@freebsd.org
Subject:   ssh, pam, and pam_radius
Message-ID:  <20001019120743.H365@servervault.com>
next in thread | raw e-mail | index | archive | help 
Help. 

FreeBSD 4.1.1-STABLE's sshd will not listen to PAM. 

Step 1:
	we go into /usr/src/secure/usr.bin/sshd, and we add the following
to the Makefile:

CFLAGS+= -DHAVE_LIBPAM
LDADD+= -lpam

Now we type make.  

Whoops.. 
cc -O -pipe -DLIBWRAP -DLOGIN_ACCESS -DLOGIN_CAP -I/usr/src/secure/usr.sbin/sshd/../../../usr.bin/login -DHAVE_LIBPAM -DSKEY -DNO_IDEA   -c /usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/auth1.c
/usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/auth1.c: In function `do_authloop':
/usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/auth1.c:161: syntax error before `int'
*** Error code 1



Step 2:
	we comment out the offending int pam_retval at line 161 of auth1.c,
as it's not referenced *anywhere*.. (which is a dramatically bad omen, if 
you ask me...)

make.

Yay. it builds.

make install.

ldd /usr/sbin/sshd
/usr/sbin/sshd:
        libpam.so.1 => /usr/lib/libpam.so.1 (0x2808b000)
        libopie.so.2 => /usr/lib/libopie.so.2 (0x28094000)
        libmd.so.2 => /usr/lib/libmd.so.2 (0x2809d000)
        libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280a7000)
        libcrypto.so.1 => /usr/lib/libcrypto.so.1 (0x280bc000)
        libutil.so.3 => /usr/lib/libutil.so.3 (0x28178000)
        libz.so.2 => /usr/lib/libz.so.2 (0x28181000)
        libwrap.so.3 => /usr/lib/libwrap.so.3 (0x2818e000)
        libc.so.4 => /usr/lib/libc.so.4 (0x28196000)

Mmm.. nice. it's got libpam built in now.


So I add an "sshd auth required pam_radius.so debug" line to my pam.conf
file.  (and, by the way, pam_radius works just fine with login and ftpd,
and yes, the "other" fallthrough is calling radius as well.)



To make the long story short, sshd won't consult pam.  It just goes right for
the password file.  


So, what do I need to do to fix this?   and why isn't this fixed for me already?
pam and openssh cooperate just fine on other platforms. ;)


Thanks ..

-- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001019120743.H365>