Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: pam_radius fail open?
From: Scot Hetzel (swhetzelgmail.com)
Date: Fri Aug 19 2005 - 17:32:37 CDT
On 8/19/05, Sean P. Malone <smaloneudallas.edu> wrote:
> $ cat /etc/pam.conf
> # $FreeBSD: src/etc/pam.d/sshd,v 1.15 2003/04/30 21:57:54 markm Exp $
> # PAM configuration for the "sshd" service
> # auth
> #sshd auth required pam_radius.so -update -/usr/local/etc/radius
> #auth required pam_nologin.so no_warn
> Basically, it's an empty file as far as pam_radius knows.
I think you incorrectly configured your system, you should have edited
the /etc/pam.d/sshd file and added the pam_radius in there as:
auth required pam_radius.so -update -/usr/local/etc/radius
When you created the /etc/pam.conf file, you told PAM to not look in
the /etc/pam.d directory for config info for any of the services
listed in /etc/pam.d. This caused it to not know how to authenticate
any logins, which resulted in it allowing all logins.
I believe this is also why you were able to log into your system with just a:
ssh auth required pam_radius.so -update -/usr/local/etc/radius
in your /etc/pam.conf, as there was no entry for sshd in pam.conf.
No electrons were mamed while sending this message. Only slightly bruised.
freebsd-securityfreebsd.org mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"