Date: Sun, 21 Aug 2005 00:47:54 +0200 From: Stefan Bethke <stb@lassitu.de> To: Scot Hetzel <swhetzel@gmail.com> Cc: FreeBSD Security <freebsd-security@freebsd.org>, smalone@udallas.edu Subject: Re: pam_radius fail open? Message-ID: <E0E5EE35-3806-4CCB-8E41-58C839C93A8C@lassitu.de> In-Reply-To: <790a9fff05081915323dc45ac6@mail.gmail.com> References: <430659EF.2060202@udallas.edu> <790a9fff05081915323dc45ac6@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 20.08.2005 um 00:32 schrieb Scot Hetzel: > On 8/19/05, Sean P. Malone <smalone@udallas.edu> wrote: > >> $ cat /etc/pam.conf >> # >> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ >> # >> # PAM configuration for the "sshd" service >> # >> >> # auth >> >> #sshd auth required pam_radius.so -update -/usr/local/etc/radius >> #auth required pam_nologin.so no_warn >> > > >> Basically, it's an empty file as far as pam_radius knows. >> >> > > I think you incorrectly configured your system, you should have edited > the /etc/pam.d/sshd file and added the pam_radius in there as: > > auth required pam_radius.so -update -/usr/local/etc/radius > > When you created the /etc/pam.conf file, you told PAM to not look in > the /etc/pam.d directory for config info for any of the services > listed in /etc/pam.d. This caused it to not know how to authenticate > any logins, which resulted in it allowing all logins. I don't now what's wrong, but this explanation is not correct (on 6.0- BETA2). The man page states that /etc/pam.d/* information is consulted before /etc/pam.conf, and creating an empty /etc/pam.conf won't let me log in unless I enter a correct password. Mz experience with pam has been too confusing to add any real insight. I'd hope that des@ would be able to comment properly... Stefan -- Stefan Bethke <stb@lassitu.de> Fon +49 170 346 0140
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0E5EE35-3806-4CCB-8E41-58C839C93A8C>