From owner-freebsd-security@FreeBSD.ORG Fri Aug 19 22:32:39 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D98E16A41F for ; Fri, 19 Aug 2005 22:32:39 +0000 (GMT) (envelope-from swhetzel@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0538C43D48 for ; Fri, 19 Aug 2005 22:32:38 +0000 (GMT) (envelope-from swhetzel@gmail.com) Received: by wproxy.gmail.com with SMTP id i4so657851wra for ; Fri, 19 Aug 2005 15:32:38 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=UjTaulRIXlrxgj/fB2iEEEBiuqDVFg7lzsCvt/VJGDBInn/GjXVdYaAxSzn+aNLwo0pah7IUBkbFr7P3KuAaVkBzXi53I51NKeqbqqgubYIB62x99+osdPHT5FgsNnQknzYRAoad5mQCMxEjt/qeTcrYW7Pg9fHbfAS1zayKBac= Received: by 10.54.151.9 with SMTP id y9mr2239141wrd; Fri, 19 Aug 2005 15:32:37 -0700 (PDT) Received: by 10.54.29.26 with HTTP; Fri, 19 Aug 2005 15:32:37 -0700 (PDT) Message-ID: <790a9fff05081915323dc45ac6@mail.gmail.com> Date: Fri, 19 Aug 2005 17:32:37 -0500 From: Scot Hetzel To: smalone@udallas.edu In-Reply-To: <430659EF.2060202@udallas.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <430659EF.2060202@udallas.edu> Cc: FreeBSD Security Subject: Re: pam_radius fail open? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Aug 2005 22:32:39 -0000 On 8/19/05, Sean P. Malone wrote: > $ cat /etc/pam.conf > # > # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ > # > # PAM configuration for the "sshd" service > # >=20 > # auth >=20 > #sshd auth required pam_radius.so -update -/usr/local/etc/radius > #auth required pam_nologin.so no_warn > Basically, it's an empty file as far as pam_radius knows. >=20 I think you incorrectly configured your system, you should have edited the /etc/pam.d/sshd file and added the pam_radius in there as: auth required pam_radius.so -update -/usr/local/etc/radius When you created the /etc/pam.conf file, you told PAM to not look in the /etc/pam.d directory for config info for any of the services listed in /etc/pam.d. This caused it to not know how to authenticate any logins, which resulted in it allowing all logins. I believe this is also why you were able to log into your system with just = a: ssh auth required pam_radius.so -update -/usr/local/etc/radius in your /etc/pam.conf, as there was no entry for sshd in pam.conf. Scot --=20 DISCLAIMER: No electrons were mamed while sending this message. Only slightly bruised.