Date: Thu, 1 Mar 2001 08:58:01 -0800 (PST) From: B.Candler@pobox.com To: freebsd-gnats-submit@FreeBSD.org Subject: bin/25477: pam_radius fix to allow null passwords for challenge/response Message-ID: <200103011658.f21Gw1h37499@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 25477 >Category: bin >Synopsis: pam_radius fix to allow null passwords for challenge/response >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Thu Mar 01 09:00:03 PST 2001 >Closed-Date: >Last-Modified: >Originator: Brian Candler >Release: 4.2-STABLE >Organization: >Environment: >Description: When using pam_radius, if there is no password (AUTHTOK) set previously then PAM always prompts the user for a password. However, when using a RADIUS server with challenge/response, the password in the first Access-Request packet is always ignored. It should be possible to provide a null password in this packet, and for PAM only to prompt at the point of receiving an Access-Challenge. See RFC2865 >How-To-Repeat: Try configuring sshd for SkeyAuthentication with PAM, and a cryptocard easyRadius server. You will find that the TIS challenge is RADIUS password: and the TIS response sent back is the dummy password for the initial Access-Request. The subsequent Access-Challenge causes an unexpected extra exchange from PAM, and sshd aborts with "Conversation Error" Applying the patch below, and adding "nullok" after pam_radius.so in pam.conf, makes it work. The initial Access-Request uses a null password without prompting the user. The first user prompt is thus the Radius challenge (given as an SSH_SMSG_AUTH_TIS_CHALLENGE), and the response is, well, the response :-) This works nicely and allows even a Windows client running ttssh to make a successful ssh login with challenge/response and RADIUS backend. >Fix: Patch for /usr/src/lib/libpam/modules/ attached which adds a "nullok" parameter to pam_radius.so --- pam_radius.c.orig Thu Mar 1 15:32:11 2001 +++ pam_radius.c Thu Mar 1 16:03:15 2001 @@ -45,6 +45,7 @@ /* Option names, including the "=" sign. */ #define OPT_CONF "conf=" #define OPT_TMPL "template_user=" +#define OPT_NULLOK "nullok" static int build_access_request(struct rad_handle *, const char *, const char *, const void *, size_t); @@ -202,6 +203,7 @@ const char *pass; const char *conf_file = NULL; const char *template_user = NULL; + int nullok = 0; int options = 0; int retval; int i; @@ -216,10 +218,17 @@ else if (strncmp(argv[i], OPT_TMPL, (len = strlen(OPT_TMPL))) == 0) template_user = argv[i] + len; + else if (strcmp(argv[i], OPT_NULLOK) == 0) + nullok = 1; } if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) return retval; - if ((retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, + if (nullok) { + if (pam_get_item(pamh, PAM_AUTHTOK, &pass) != PAM_SUCCESS + || pass == NULL) + pass = "dummy"; + } + else if ((retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, options)) != PAM_SUCCESS) return retval; --- pam_radius.8.orig Thu Mar 1 15:32:24 2001 +++ pam_radius.8 Thu Mar 1 15:38:00 2001 @@ -48,6 +48,7 @@ .Nm pam_radius.so .Op Cm use_first_pass .Op Cm try_first_pass +.Op Cm nullok .Op Cm echo_pass .Op Cm conf Ns No = Ns Ar pathname .Op Cm template_user Ns No = Ns Ar username @@ -74,6 +75,11 @@ password has been entered, .Nm prompts for one as usual. +.It Cm nullok +causes +.Nm +never to prompt for a new password. If no password has been previously +entered, a null one is sent. .It Cm echo_pass causes echoing to be left on if .Nm >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200103011658.f21Gw1h37499>