From owner-freebsd-questions  Thu Oct 19  9: 8: 0 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from hqfs1.servervault.com (office.servervault.com [216.12.128.6])
	by hub.freebsd.org (Postfix) with ESMTP id 1B92337B4C5
	for <freebsd-questions@freebsd.org>; Thu, 19 Oct 2000 09:07:57 -0700 (PDT)
Received: from daywalker.servervault.com (DAYWALKER [192.168.1.101]) by hqfs1.servervault.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21)
	id VBCMD748; Thu, 19 Oct 2000 12:07:35 -0400
Received: (from emf@localhost)
	by daywalker.servervault.com (8.11.1/8.9.3) id e9JG7hB33018
	for freebsd-questions@freebsd.org; Thu, 19 Oct 2000 12:07:43 -0400 (EDT)
	(envelope-from emf)
Date: Thu, 19 Oct 2000 12:07:43 -0400
From: Erik Fichtner <emf@servervault.com>
To: freebsd-questions@freebsd.org
Subject: ssh, pam, and pam_radius
Message-ID: <20001019120743.H365@servervault.com>
Reply-To: emf@servervault.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0.1i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Help. 

FreeBSD 4.1.1-STABLE's sshd will not listen to PAM. 

Step 1:
	we go into /usr/src/secure/usr.bin/sshd, and we add the following
to the Makefile:

CFLAGS+= -DHAVE_LIBPAM
LDADD+= -lpam

Now we type make.  

Whoops.. 
cc -O -pipe -DLIBWRAP -DLOGIN_ACCESS -DLOGIN_CAP -I/usr/src/secure/usr.sbin/sshd/../../../usr.bin/login -DHAVE_LIBPAM -DSKEY -DNO_IDEA   -c /usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/auth1.c
/usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/auth1.c: In function `do_authloop':
/usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/auth1.c:161: syntax error before `int'
*** Error code 1



Step 2:
	we comment out the offending int pam_retval at line 161 of auth1.c,
as it's not referenced *anywhere*.. (which is a dramatically bad omen, if 
you ask me...)

make.

Yay. it builds.

make install.

ldd /usr/sbin/sshd
/usr/sbin/sshd:
        libpam.so.1 => /usr/lib/libpam.so.1 (0x2808b000)
        libopie.so.2 => /usr/lib/libopie.so.2 (0x28094000)
        libmd.so.2 => /usr/lib/libmd.so.2 (0x2809d000)
        libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280a7000)
        libcrypto.so.1 => /usr/lib/libcrypto.so.1 (0x280bc000)
        libutil.so.3 => /usr/lib/libutil.so.3 (0x28178000)
        libz.so.2 => /usr/lib/libz.so.2 (0x28181000)
        libwrap.so.3 => /usr/lib/libwrap.so.3 (0x2818e000)
        libc.so.4 => /usr/lib/libc.so.4 (0x28196000)

Mmm.. nice. it's got libpam built in now.


So I add an "sshd auth required pam_radius.so debug" line to my pam.conf
file.  (and, by the way, pam_radius works just fine with login and ftpd,
and yes, the "other" fallthrough is calling radius as well.)



To make the long story short, sshd won't consult pam.  It just goes right for
the password file.  


So, what do I need to do to fix this?   and why isn't this fixed for me already?
pam and openssh cooperate just fine on other platforms. ;)


Thanks ..

-- 
Erik Fichtner
Security Administrator, ServerVault, Inc.
703-333-5900


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message