Date: Sat, 17 May 2008 11:41:45 +0200 (CEST) From: "Jacco van Buuren" <jaccovb@xs4all.nl> To: freebsd-questions@freebsd.org Subject: Login with ssh using pam_radius and a template_user Message-ID: <7709.213.84.214.79.1211017305.squirrel@webmail.xs4all.nl>
next in thread | raw e-mail | index | archive | help
Hello list, I've searched and googled quite a bit for a solution to this, but didn't find any. I can't get PAM_RADIUS working with a TEMPLATE_USER for remote logins with SSHD. If I overlooked anything, any hints will be highly appreciated. The situation is as follows: A radius authorization backend system, server A, has user ALICE, with a password, and user BOB, with a password. Another server, server B, is using PAM_RADIUS for radius authentication on SSHD for remote logins. While attempting to figure out how pam_radius works on server B, pam (/etc/pam.d/sshd) is configured like this: auth sufficient pam_radius.so try_first_pass template_user=bob debug account sufficient pam_radius.so template_user=bob debug password sufficient pam_radius.so try_first_pass template_user=bob debug On server B, Bob has a plain vanilla Unix account in /etc/passwd, with an existing shell and homedirectory. When using the pam config shown above, Bob is asked for his radius password from server A (as expected) when he tries to login with ssh. This works perfectly Ok for Bob: Radius authentication is working on server B when using ssh to login - in this case regardless of his password. So far so good. Since Bob has special privileges on server B, his account will be the template for a small group of other users, effectively sharing the bob-account - not Bobs' password - with others. Template_user should provide for this, from the pam_radius man-page: template_user=username specifies a user whose passwd(5) entry will be used as a tem- plate to create the session environment if the supplied user- name does not exist in local password database. The user will be authenticated with the supplied username and pass- word, but his credentials to the system will be presented as the ones for username, i.e., his login class, home directory, resource limits, etc. will be set to ones defined for username. If this option is omitted, and there is no username in the system databases equal to the supplied one (as determined by call to getpwnam(3)), the authentication will fail. As pam is configured with 'template_user=bob', it would be expected that user 'alice' - an account that doesn't exist on server B in /etc/passwd - should be able to login with ssh since Bob can login... Oddly enough, logging in ONLY works for user 'alice' when the account exists in /etc/passwd on server B. Which would still require all the accounts being present on server B, and thus defeating the purpose of a template_user. It seems that template_user has no effect, no matter which password (alice/bob) is used. Sshd is actually complaining about pam: "fatal: Internal error: PAM auth succeeded when it should have failed". >From what I've googled it seems that this topic is returning every now and then, without any clear solution. Some do indeed point to OpenSSH (http://www.usenet-forums.com/openssh-development/336942-sshd-pam_radius-under-freebsd.html#post706102). I haven't tested this with telnetd or others. To put it another way: I've found no document that explains why a pam_radius template_user shouldn't work with sshd. Can this be done at all? Am I overlooking anything? Should I send-pr this? Or am I totally misreading the man-page? Any help is much appreciated. Thanks! Jacco
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7709.213.84.214.79.1211017305.squirrel>