Date: Mon, 22 Aug 2005 14:23:59 +0200 From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) To: smalone@udallas.edu Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: pam_radius fail open? Message-ID: <86oe7q5fds.fsf@xps.des.no> In-Reply-To: <430659EF.2060202@udallas.edu> (Sean P. Malone's message of "Fri, 19 Aug 2005 17:15:11 -0500") References: <430659EF.2060202@udallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
"Sean P. Malone" <smalone@udallas.edu> writes: > I recently installed pam_radius according to the instructions located > at the following address: > > https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/PamRadius?shin=3D= print.patern why? 5.3 ships with pam_radius(8). > However, I'm not sure if I've mistakenly stumbled onto a fail open > situation in that I'm fairly new to FreeBSD. Namely, while > configuring /etc/pam.conf to validate SSH login credentials via radius > against our existing Active Directory, I mistakenly typed the line for > ssh as follows: [...] I am surprised that editing /etc/pam.conf had any effect at all, since /etc/pam.d/sshd takes precedence. Are you running a clean 5.3 install, or did you upgrade from 4.x? And yes, PAM does fail open when no configuration exists. You can easily change that by creating /etc/pam.d/default with the following contents: auth required pam_deny.so account required pam_deny.so session required pam_deny.so password requires pam_deny.so or slightly less easily by adding the appropriate check around line 100 of src/contrib/openpam/lib/openpam_dispatch.c, like NetBSD did: if (chain =3D=3D NULL) RETURNC(PAM_SYSTEM_ERR); DES --=20 Dag-Erling Sm=F8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86oe7q5fds.fsf>