Date: Fri, 19 Aug 2005 17:32:37 -0500 From: Scot Hetzel <swhetzel@gmail.com> To: smalone@udallas.edu Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: pam_radius fail open? Message-ID: <790a9fff05081915323dc45ac6@mail.gmail.com> In-Reply-To: <430659EF.2060202@udallas.edu> References: <430659EF.2060202@udallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8/19/05, Sean P. Malone <smalone@udallas.edu> wrote: > $ cat /etc/pam.conf > # > # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ > # > # PAM configuration for the "sshd" service > # >=20 > # auth >=20 > #sshd auth required pam_radius.so -update -/usr/local/etc/radius > #auth required pam_nologin.so no_warn > Basically, it's an empty file as far as pam_radius knows. >=20 I think you incorrectly configured your system, you should have edited the /etc/pam.d/sshd file and added the pam_radius in there as: auth required pam_radius.so -update -/usr/local/etc/radius When you created the /etc/pam.conf file, you told PAM to not look in the /etc/pam.d directory for config info for any of the services listed in /etc/pam.d. This caused it to not know how to authenticate any logins, which resulted in it allowing all logins. I believe this is also why you were able to log into your system with just = a: ssh auth required pam_radius.so -update -/usr/local/etc/radius in your /etc/pam.conf, as there was no entry for sshd in pam.conf. Scot --=20 DISCLAIMER: No electrons were mamed while sending this message. Only slightly bruised.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?790a9fff05081915323dc45ac6>