|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: pam_radius fail open?
From: Scot Hetzel (swhetzel
gmail.com)
Date: Fri Aug 19 2005 - 17:32:37 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On 8/19/05, Sean P. Malone <smaloneudallas.edu> wrote:
> $ cat /etc/pam.conf
> #
> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
> #
> # PAM configuration for the "sshd" service
> #
>
> # auth
>
> #sshd auth required pam_radius.so -update -/usr/local/etc/radius
> #auth required pam_nologin.so no_warn
> Basically, it's an empty file as far as pam_radius knows.
>
I think you incorrectly configured your system, you should have edited
the /etc/pam.d/sshd file and added the pam_radius in there as:
auth required pam_radius.so -update -/usr/local/etc/radius
When you created the /etc/pam.conf file, you told PAM to not look in
the /etc/pam.d directory for config info for any of the services
listed in /etc/pam.d. This caused it to not know how to authenticate
any logins, which resulted in it allowing all logins.
I believe this is also why you were able to log into your system with just a:
ssh auth required pam_radius.so -update -/usr/local/etc/radius
in your /etc/pam.conf, as there was no entry for sshd in pam.conf.
Scot
--
DISCLAIMER:
No electrons were mamed while sending this message. Only slightly bruised.
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]