Date: Thu, 1 Mar 2001 08:58:01 -0800 (PST) From: B.Candler@pobox.com To: freebsd-gnats-submit@FreeBSD.org Subject: bin/25477: pam_radius fix to allow null passwords for challenge/response Message-ID: <200103011658.f21Gw1h37499@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 25477
>Category: bin
>Synopsis: pam_radius fix to allow null passwords for challenge/response
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Mar 01 09:00:03 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Brian Candler
>Release: 4.2-STABLE
>Organization:
>Environment:
>Description:
When using pam_radius, if there is no password (AUTHTOK) set previously
then PAM always prompts the user for a password.
However, when using a RADIUS server with challenge/response, the password
in the first Access-Request packet is always ignored. It should be possible
to provide a null password in this packet, and for PAM only to prompt
at the point of receiving an Access-Challenge.
See RFC2865
>How-To-Repeat:
Try configuring sshd for SkeyAuthentication with PAM, and a cryptocard
easyRadius server.
You will find that the TIS challenge is
RADIUS password:
and the TIS response sent back is the dummy password for the initial
Access-Request. The subsequent Access-Challenge causes an unexpected extra
exchange from PAM, and sshd aborts with "Conversation Error"
Applying the patch below, and adding "nullok" after pam_radius.so in
pam.conf, makes it work. The initial Access-Request uses a null
password without prompting the user. The first user prompt is thus
the Radius challenge (given as an SSH_SMSG_AUTH_TIS_CHALLENGE), and
the response is, well, the response :-)
This works nicely and allows even a Windows client running ttssh to make
a successful ssh login with challenge/response and RADIUS backend.
>Fix:
Patch for /usr/src/lib/libpam/modules/ attached which adds a "nullok"
parameter to pam_radius.so
--- pam_radius.c.orig Thu Mar 1 15:32:11 2001
+++ pam_radius.c Thu Mar 1 16:03:15 2001
@@ -45,6 +45,7 @@
/* Option names, including the "=" sign. */
#define OPT_CONF "conf="
#define OPT_TMPL "template_user="
+#define OPT_NULLOK "nullok"
static int build_access_request(struct rad_handle *, const char *,
const char *, const void *, size_t);
@@ -202,6 +203,7 @@
const char *pass;
const char *conf_file = NULL;
const char *template_user = NULL;
+ int nullok = 0;
int options = 0;
int retval;
int i;
@@ -216,10 +218,17 @@
else if (strncmp(argv[i], OPT_TMPL,
(len = strlen(OPT_TMPL))) == 0)
template_user = argv[i] + len;
+ else if (strcmp(argv[i], OPT_NULLOK) == 0)
+ nullok = 1;
}
if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
return retval;
- if ((retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT,
+ if (nullok) {
+ if (pam_get_item(pamh, PAM_AUTHTOK, &pass) != PAM_SUCCESS
+ || pass == NULL)
+ pass = "dummy";
+ }
+ else if ((retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT,
options)) != PAM_SUCCESS)
return retval;
--- pam_radius.8.orig Thu Mar 1 15:32:24 2001
+++ pam_radius.8 Thu Mar 1 15:38:00 2001
@@ -48,6 +48,7 @@
.Nm pam_radius.so
.Op Cm use_first_pass
.Op Cm try_first_pass
+.Op Cm nullok
.Op Cm echo_pass
.Op Cm conf Ns No = Ns Ar pathname
.Op Cm template_user Ns No = Ns Ar username
@@ -74,6 +75,11 @@
password has been entered,
.Nm
prompts for one as usual.
+.It Cm nullok
+causes
+.Nm
+never to prompt for a new password. If no password has been previously
+entered, a null one is sent.
.It Cm echo_pass
causes echoing to be left on if
.Nm
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103011658.f21Gw1h37499>