From owner-freebsd-security@FreeBSD.ORG Mon Aug 22 12:24:10 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA1E316A41F for ; Mon, 22 Aug 2005 12:24:10 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47FD343D45 for ; Mon, 22 Aug 2005 12:24:10 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 249166147; Mon, 22 Aug 2005 14:23:49 +0200 (CEST) Received: from xps.des.no (des.no [80.203.228.37]) by tim.des.no (Postfix) with ESMTP id A637460F8; Mon, 22 Aug 2005 14:23:48 +0200 (CEST) Received: by xps.des.no (Postfix, from userid 1001) id EF26933D44; Mon, 22 Aug 2005 14:23:59 +0200 (CEST) To: smalone@udallas.edu References: <430659EF.2060202@udallas.edu> From: des@des.no (=?iso-8859-1?q?Dag-Erling_Sm=F8rgrav?=) Date: Mon, 22 Aug 2005 14:23:59 +0200 In-Reply-To: <430659EF.2060202@udallas.edu> (Sean P. Malone's message of "Fri, 19 Aug 2005 17:15:11 -0500") Message-ID: <86oe7q5fds.fsf@xps.des.no> User-Agent: Gnus/5.110002 (No Gnus v0.2) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Tests: ALL_TRUSTED,AWL,BAYES_00 X-Spam-Learn: ham X-Spam-Score: -5.2/3.0 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on tim.des.no Cc: FreeBSD Security Subject: Re: pam_radius fail open? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 12:24:10 -0000 "Sean P. Malone" writes: > I recently installed pam_radius according to the instructions located > at the following address: > > https://www.freebsd.uwaterloo.ca/twiki/bin/view/Freebsd/PamRadius?shin=3D= print.patern why? 5.3 ships with pam_radius(8). > However, I'm not sure if I've mistakenly stumbled onto a fail open > situation in that I'm fairly new to FreeBSD. Namely, while > configuring /etc/pam.conf to validate SSH login credentials via radius > against our existing Active Directory, I mistakenly typed the line for > ssh as follows: [...] I am surprised that editing /etc/pam.conf had any effect at all, since /etc/pam.d/sshd takes precedence. Are you running a clean 5.3 install, or did you upgrade from 4.x? And yes, PAM does fail open when no configuration exists. You can easily change that by creating /etc/pam.d/default with the following contents: auth required pam_deny.so account required pam_deny.so session required pam_deny.so password requires pam_deny.so or slightly less easily by adding the appropriate check around line 100 of src/contrib/openpam/lib/openpam_dispatch.c, like NetBSD did: if (chain =3D=3D NULL) RETURNC(PAM_SYSTEM_ERR); DES --=20 Dag-Erling Sm=F8rgrav - des@des.no