From owner-freebsd-security@FreeBSD.ORG Sat Aug 20 22:48:48 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF0B216A41F for ; Sat, 20 Aug 2005 22:48:48 +0000 (GMT) (envelope-from stb@lassitu.de) Received: from rohrpostix.tallence.de (rohrpostix.tallence.de [212.12.62.166]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C9DB43D46 for ; Sat, 20 Aug 2005 22:48:48 +0000 (GMT) (envelope-from stb@lassitu.de) Received: from [44.128.40.11] (janus.spock.tallence.de [44.128.40.11]) by rohrpostix.tallence.de (Postfix) with ESMTP id 4EE8F1AD919; Sun, 21 Aug 2005 00:48:46 +0200 (CEST) In-Reply-To: <790a9fff05081915323dc45ac6@mail.gmail.com> References: <430659EF.2060202@udallas.edu> <790a9fff05081915323dc45ac6@mail.gmail.com> Mime-Version: 1.0 (Apple Message framework v733) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Stefan Bethke Date: Sun, 21 Aug 2005 00:47:54 +0200 To: Scot Hetzel X-Mailer: Apple Mail (2.733) Cc: FreeBSD Security , smalone@udallas.edu Subject: Re: pam_radius fail open? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Aug 2005 22:48:49 -0000 Am 20.08.2005 um 00:32 schrieb Scot Hetzel: > On 8/19/05, Sean P. Malone wrote: > >> $ cat /etc/pam.conf >> # >> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $ >> # >> # PAM configuration for the "sshd" service >> # >> >> # auth >> >> #sshd auth required pam_radius.so -update -/usr/local/etc/radius >> #auth required pam_nologin.so no_warn >> > > >> Basically, it's an empty file as far as pam_radius knows. >> >> > > I think you incorrectly configured your system, you should have edited > the /etc/pam.d/sshd file and added the pam_radius in there as: > > auth required pam_radius.so -update -/usr/local/etc/radius > > When you created the /etc/pam.conf file, you told PAM to not look in > the /etc/pam.d directory for config info for any of the services > listed in /etc/pam.d. This caused it to not know how to authenticate > any logins, which resulted in it allowing all logins. I don't now what's wrong, but this explanation is not correct (on 6.0- BETA2). The man page states that /etc/pam.d/* information is consulted before /etc/pam.conf, and creating an empty /etc/pam.conf won't let me log in unless I enter a correct password. Mz experience with pam has been too confusing to add any real insight. I'd hope that des@ would be able to comment properly... Stefan -- Stefan Bethke Fon +49 170 346 0140